Japanese banking customers have been the target of newly discovered financial malware, dubbed Tsukuba, a member of the proxy changers family, according to researchers at IBM Trusteer.
Like other proxy changers, Tsukuba doesn’t sport advanced technical capabilities, but “it makes up for it through its most recent social engineering technique, which is how it harvests victims’ online banking credentials, personally identifiable information (PII) and even clear images of official identification documents,” researchers said in a blog post.
First, Tsukuba in packed form is dropped through spam. The packer resists debugging and analysis. Once it run’s the trojan’s executable, the packer uses process hollowing—known as suspended state flag—to employ the CreateProcess API. When the suspended son process is unpacked, it changes its entry point, which masks the malicious installation. The malware can’t attach to a suspended process so “it waits for the process to resume and then finalizes the installation, terminating before someone can attach a debugger or analyze it,” the post said.
Then, Tsukuba disguises “itself while communicating with its command-and-control (C&C) server and downloading other components and run commands if need be” by abusing powershell.exe, which is a legitimate Windows process, the blog pointed out. It succeeds in evading proxy detection tools and research environments by avoiding a list of processes, including VboxService, VboxTray and Proxifier. “If one is indeed found, the malware will not complete the installation of all of its components,” the blog post said.
In a final step before completing installation, “the malware must determine that the potential victim is relevant to its masters by copying their browser cookies and scanning them for the URLs of its target entities (triggers),” researchers wrote. “Only if the infected machines visit one of the listed banks will the malware continue its installation process.”
The banking trojan also registers a fake root certificate, which, the researchers said, allow it “to browse to malicious pages through its own rogue proxy,” avoiding detection by leveraging the certutil.exe Windows process and establishing “a root certificate on the PC with the exact same name as the original.” That way, its sessions “pass as trusted through the browser.”
Proxy Auto-Config (PAC) instructions are required “to execute the actual proxy modification on the infected machine,” the blog post said. Once the malware, in response to an HTTP GET request sent to the C&C, receives current information about which malicious proxy to use, it can “add a PAC URL path to the browser’s configuration scheme,” the researchers wrote. By replacing the default choice with the attacker’s proxy the results are likely provided “in the browsers favoring it,” which, researchers said direct user requests to the URLs designated by the attackers.
Once the “rogue proxy” is set up, “only victims browsing from Japanese IPs will be let though to the Trojan’s custom social engineering zones,” which is one thing that makes Tsukuba particularly dangerous, researchers said. Users in Japan are more vulnerable to attack because they “are less accustomed to seeing Trojan attacks in their region than those in English-speaking countries.”