Banking Trojan has targeted Bundestag


After the initial reports on the attacks on the Bundestag (German Federal Parliament), variants of the Swatbanker family are now putting the Bundestag's intranet on a watch list. The operators of the botnet are apparently trying to steal access data and server responses associated with this site. It is not clear whether this is a new attack or whether the same attackers who were active in May have expanded their pattern of attack. Since the first reports of the attacks on the Bundestag, we have been searching for clues as to the initiators, but as yet there have been no hints as to the origin. Now experts at G DATA have discovered that a group using the Swatbanker banking Trojan has had its eyes on the Bundestag. Swatbanker is also known under the name Geodo and is a successor to Cridex, alias Feodo.

Analysis of the configuration files

To analyse the attack patterns of banking Trojans in detail, we study the malware's configuration files. The behaviour of the banking Trojan is controlled by these configuration files. They include things such as the domains under attack and the HTML/JavaScript code (called webinjects) that is used to carry out the attacks on the users of these domains. Configuration files are the basis for calculating the top 25 attack targets of banking Trojans in our SecurityLabs Malware Report

However, besides the webinjects, there are other sections in the configuration files. With Swatbanker, one of these is a URL filter list. If an infected computer visits a website on this list, it sends data to the control server. This section was empty in previous versions of the malware. In the current analysis, we have found several configuration files between 08/06/2015 11:41 and 10/06/2015 14:21 that have been filtering on domains such as: *bundestag.btg*

This is the domain for the German Bundestag's intranet. When an infected computer calls up a domain that uses this pattern, it reports in to the control server and transfers the following information: 

  • URL (address of the website visited)
  • User agent (details such as the browser used)
  • Referrer (details on the source of the request - Called up by clicking on a link? If so, on which site was it clicked on?)
  • Content type of the server response (file type that the server sends in its response)
  • Content of the POST request in form fields (incl. login name, password, search input)
  • The full response from the server (web pages or files that the server returns for the request)

Apparently, the operators of the Swatbanker botnet are interested in whether they have infected computers that can access the intranet pages of the Bundestag. The two days mentioned are sufficient for searching the entire botnet for the relevant zombie computers and at the same time obtaining the access data for the Bundestag's intranet. The server responses also captured can be used to capture the content displayed or prepare for further attacks. The botnet operators would then also be capable of carrying out additional activities such as installing additional malware for spying on the network and collecting additional data or more. 

Continuation or new start?

How should this new incident be categorised? Why is another attack on the Bundestag's intranet following where its network is already fully compromised, according to media reports? One possibility might be that this is a separate attack that uses Swatbanker to access a framework specialising in data theft (in the banking environment). Whether the operators of the Swatbanker botnet have taken the initiative themselves or whether they are working on behalf of secret services cannot be said for certain. Related reports that banking Trojans from eastern Europe are being used for targeted attacks are becoming more frequent in certain circles. 

However, it might also be that this is a continuation of the original attack. In this scenario, computers that are used in the Bundestag network have mostly been compromised. However, private or mobile computers, on which members of parliament often edit their data, have only partially been involved. The current attack is ideally suited to detecting such external computers and drawing them in to the original attacks.