Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Ostap Backdoor Installs Banking Trojans, PoS Malware

A newly documented backdoor is being used by a threat group to install well-known banking Trojans, along with a point-of-sale (POS) malware dropper, Proofpoint security researchers warn.

A newly documented backdoor is being used by a threat group to install well-known banking Trojans, along with a point-of-sale (POS) malware dropper, Proofpoint security researchers warn.

Dubbed Ostap, the threat is a JScript backdoor that security researchers have associated with a Delphi dropper called MrWhite, which is used to check infected systems for POS malware and download some if none is found. The actors behind the duo, researchers say, make use of banking Trojans such as Dridex, Ursnif, and Tinba, as well as the POS threat known as AbaddonPOS (and the TinyLoader loader).

The adversary was observed focusing on financial services in countries such as Germany, Austria, and the United Kingdom, but targeting other verticals and countries as well. For distribution, the group used spam emails with malicious Microsoft Word documents attached to them, Proofpoint says.

The distribution campaigns associated with this actor weren’t too large, ranging from only a few targeted messages to several thousand broadly distributed emails. The observed messages were written in German and English, depending on where the intended victims were located.

The backdoor remains active on the infected computer after the malicious document has been closed, writes a copy of itself to the current user’s Startup folder for persistence, and also sends the computer name to the C&C server. Moreover, it can receive and run an executable payload or a script file (with “certutil”) from the C&C.

Typically, the malware is used to download an executable from the server, and that payload is either a banking Trojan (the Dridex botnet ID 3302 to target UK and French organizations, Ursnif ID 1068 to target Poland, or Tinba to target German and Austrian organizations), or the MrWhite malware. The backdoor’s operators, researchers say, rotate the payloads on a daily basis.

Written in Delphi, MrWhite was designed to compare the running process names on the infected machine against a hardcoded list. As soon as it finds a process of interest, it sends the entire process list to the C&C server, and then drops TinyLoader onto the machine.

First, MrWhite sleeps for 120 seconds, after which it combines the hardcoded list of processes into a single string and reverses it. Next, a specific string is reversed (from ‘VSC OF/ tsilksat’ to ‘tasklist /FO CSV’), and the command executed to produce a list of running processes in a comma-separated format and to search the list for processes of interest. If one is found, the list is sent to the C&C over HTTPS.

“Three of the MrWhite samples analyzed for this research dropped and executed an embedded TinyLoader immediately after sending the tasklist to the C&C. All of these samples dropped exactly the same instance of TinyLoader; however a different filename was used in each: ‘000.exe’, ‘001.exe’, and ‘5678987654.exe’,” Proofpoint researchers say.

Although TinyLoader wasn’t observed receiving any commands to download additional payloads, the malware was previously associated with the AbaddonPOS, and a recent payload was found to communicate to the same IP as the TinyLoader dropped by MrWhite. The AbaddonPOS malware searchers for credit card data on the infected machine and then exfiltrates the data to the C&C, encoding it using previously analyzed encoding techniques. However, the second XOR key used by this instance is the same as the IP address.

“Threat actors are constantly exploring new approaches to delivering and monetizing malware. In this case, a new group is using an undocumented backdoor and a new loader to deliver familiar banking Trojans and POS malware. By introducing new malware variants, both of which drop payloads that are often caught by existing defenses, the actor group makes detection more difficult and makes it easier to swap out final payloads,” Proofpoint says.

Related: Dyre Authors Apparently Working on New Banking Trojan

Related: PoS Malware Activity Spiked on Thanksgiving: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...