The attackers are sending out highly professional looking emails in the name of several large telecommunications providers and German banks: the reputation of Deutsche Telekom and Vodafone as well as that of Volksbank/Fiducia and Sparkasse is currently being misused for these waves of spam. The attackers want to plunder the bank accounts of unsuspecting customers using the Swatbanker banking Trojan.
In the first public reports by Telekom in relation to this wave of spam, the malware program in question was assumed to be a Bitcoin miner. This assumption has been corrected with the statement that it is a Trojan horse "the effects of which are as yet unknown".
However, the procedure used in this case reminded the experts at G DATA SecurityLabs of a similar case from January 2014: Cridex banking Trojan on the rise. Even back then, renowned telecommunications companies and banks were used as bait and the procedure was very similar. The malware used is also extremely similar to that used in the previous case. While banking Trojan Cridex was spread back then, the current malware has now been identified as its successor and named Swatbanker.
Compared to other banking Trojans, Swatbanker gained notoriety within a very short space of time. Here's an overview of the attacks that BankGuard detected in the month of May:
The binary files differ so greatly that it must be assumed that the actual malware was programmed from scratch. However, there are some obvious similarities in the protocol. Both variants use the same scheme for sending stolen data to a server controlled by the attackers, the so-called drop zone:
All this data is sent using the HTTP protocol. First, plain text data is used to form a checksum using the hash function SHA1 (Hash). The stolen plain text data is then symmetrically encoded using a key, which the software always generates anew and randomly (EncryptedBuffer). RC4 is used as the encryption procedure. The RC4 key is then encoded asymmetrically using a public key from a X.509 certificate which is also supplied (ExportSymkey). Since only the attackers have the corresponding private key, nobody else can decode the data, even if it falls into someone else's hands during its digital transfer.
The similarity of the two strains of malware manifests itself not only in the protocol but also in the internal data structure for preparing the encrypted sending of data:
Both variants first have to initiate Windows programming interfaces in order to be able to execute the encryption process described above. The Windows programming interfaces return handles, which represent the initialised state and are saved in the same order by both variants (H_CryptProv, H_Pubkey, H_Hash, H_Symkey).
One difference between the two variants is that Cridex already calculates the above-mentioned ExportSymkey during the initialisation while Swatbanker does not do so until immediately prior to sending the data. Another difference is that the pointer to the unencrypted data (Buffer*) is stored in a separate data structure in Cridex, while Swatbanker summarises the pointer and the handles in one data structure. While many internal functions are very similar, the "createcryptcontext" function is actually completely identical in both programs:
Code excerpt from the new and old variants of a webinject.
Comparison of the code from the new and old variants of a webinject. Orange bars represent differences.
The attackers now change the URL schemes they use every day, starting new waves of spam with new variants of the malware files to lure ever more recipients into the malware trap and to try to fool AV solutions. Once servers have been hacked, several attack scenarios used by these waves are stored there at once.
The first wave of the current spam mails was detected mid-May and started with supposed invoices from Telekom and Vodafone. Since then, about 20 different URL schemes for distributing the malware have been registered for the four affected companies. By exchanging the URLs as well as the stored variants of the Swatbanker malware files, the attackers naturally want to ensure that AV solutions and potential victims do not stand a chance against these attacks. However, the G DATA protection solutions are equipped to fend off attacks with advanced and extensive protective technologies such as G DATA BankGuard.
The experts at G DATA SecurityLabs will keep an eye on this case and possibly publish any updates in relation to current events in the G DATA SecurityBlog.