Researchers at Kaspersky Lab have recently identified and analyzed what is considered the first banking Trojan designed to steal money from Israeli banks.
Dubbed ATMZombie, the malware leverages insidious injection and other sophisticated and stealthy methods, including a proxy-changing technique and a SMS transaction feature. The Trojan’s operators are using a loophole in one of the bank’s online features and then physically withdraw money from the ATM, assisting money mules who are called zombies and are believed to have little knowledge of how the attack works.
The method of using a “proxy-changer” for stealing credentials involves modifying browser proxy configurations and capturing traffic between a client and a server. Furthermore, Kaspersky researchers discovered that the ATMZombie incidents featured similarities with Tochechnyj Banker, a Trojan observed attacking PSB-retail customers not long ago.
Kaspersky Lab’s Ido Naor explains in a blog post that the threat actor(s) behind the malware has been very active in banking malware campaigns, registering domains for various other Trojans as well, though none have used the ATMZombie modus operandi. A piece of malware that does, however, is the Retefe Banking Trojan, which was discovered in August 2015 and includes the Smoke Loader backdoor, in addition to ATMZombie’s capabilities.
Once it has been dropped on the victim’s machine, the malware unpacks itself and stores certificates in common browsers (Opera, Firefox), while also modifying their configurations to enable a Man-In-The-Middle attack. The Trojan also gets rid of all proxies others than those it uses, and changes cache permissions to read-only.
Next, it modifies registry entries with Base64 encoded strings that contain a path to the auto-configuration content and installs own signed certificate into the root folder to stream data over HTTPS and securely steal the victim’s credentials. As soon as the victim logs into their bank account, the malware steals the credentials, logs in using their name, and sends money to the ATMZombie by exploiting the SMS feature.
According to researchers, the malware was found targeting clients of a specific Israeli bank, with victims being lured into downloading the Trojan specifically because they were clients of Israeli banks. Researchers suggest that either the attackers had a very good intelligence-gathering techniques or they took advantage of an insider who could provide them with the list of clients.
After stealing the victim’s credentials, the attackers manually login into the hijacked account to submit a wire transfer to the account of the money mule. The actors behind the Trojan issue a money transfer to the money mule’s cell phone number and Israeli Personal Identifiable Information (PII), while the money mule sends the money to the attacker in exchange for a small amount of it.
By using this technique, attackers managed to remain anonymous for a long time, while supervising their campaign remotely.
The SMS transaction feature offered by banks is widely used by people to send money to their friends or family who have no credit card. The owner of the phone is provided with information such as Date, Israeli ID, Name and Amount, as well as with an SMS message that authorizes the cash withdraw.
Kaspersky Lab notes that hundreds of people are believed to have fallen victim to ATMZombie attacks, but that the banks have since stopped the attacks and compensated victims. The actors behind the campaign supposedly managed to steal hundreds of thousands of dollars in a short period of time, with the highest amount stolen from a single account being $750.
Banking Trojans represented one of the predominant threats last year and are expected to continue doing so in 2016, especially with Dridex gaining new capabilities and with the source code of GM Bot leaking online. However, while the Gozi Trojan recently started targeting the Edge browser in Windows 10, the Dyre botnet went quiet in November 2015.