After the initial reports on the attacks on the Bundestag (German Federal Parliament), variants of the Swatbanker family are now putting the Bundestag's intranet on a watch list. The operators of the botnet are apparently trying to steal access data and server responses associated with this site. It is not clear whether this is a new attack or whether the same attackers who were active in May have expanded their pattern of attack. Since the first reports of the attacks on the Bundestag, we have been searching for clues as to the initiators, but as yet there have been no hints as to the origin. Now experts at G DATA have discovered that a group using the Swatbanker banking Trojan has had its eyes on the Bundestag. Swatbanker is also known under the name Geodo and is a successor to Cridex, alias Feodo.
However, besides the webinjects, there are other sections in the configuration files. With Swatbanker, one of these is a URL filter list. If an infected computer visits a website on this list, it sends data to the control server. This section was empty in previous versions of the malware. In the current analysis, we have found several configuration files between 08/06/2015 11:41 and 10/06/2015 14:21 that have been filtering on domains such as: *bundestag.btg*
This is the domain for the German Bundestag's intranet. When an infected computer calls up a domain that uses this pattern, it reports in to the control server and transfers the following information:
Apparently, the operators of the Swatbanker botnet are interested in whether they have infected computers that can access the intranet pages of the Bundestag. The two days mentioned are sufficient for searching the entire botnet for the relevant zombie computers and at the same time obtaining the access data for the Bundestag's intranet. The server responses also captured can be used to capture the content displayed or prepare for further attacks. The botnet operators would then also be capable of carrying out additional activities such as installing additional malware for spying on the network and collecting additional data or more.
How should this new incident be categorised? Why is another attack on the Bundestag's intranet following where its network is already fully compromised, according to media reports? One possibility might be that this is a separate attack that uses Swatbanker to access a framework specialising in data theft (in the banking environment). Whether the operators of the Swatbanker botnet have taken the initiative themselves or whether they are working on behalf of secret services cannot be said for certain. Related reports that banking Trojans from eastern Europe are being used for targeted attacks are becoming more frequent in certain circles.
However, it might also be that this is a continuation of the original attack. In this scenario, computers that are used in the Bundestag network have mostly been compromised. However, private or mobile computers, on which members of parliament often edit their data, have only partially been involved. The current attack is ideally suited to detecting such external computers and drawing them in to the original attacks.