Incident Response, Malware, TDR

Op Emmental spoofs bank sites, uses Android malware to maintain account access

Cyber criminals have crafted an intricate attack method for maintaining a foothold in victim's online bank accounts, researchers warn.

On Tuesday, Trend Micro released a 20-page report (PDF) on “Operation Emmental,” which makes use of Android malware capable of beating two-factor authentication, and also delivers malicious code that changes an infected computer's DNS settings so it points to attacker-operated servers.

Saboteurs begin the scheme by delivering malware through phishing attacks – malicious links or attachments designed to look like correspondence from popular retailers. David Sancho, senior threat researcher at Trend Micro, explained via a Tuesday blog post that users who fall for the phishing ruse are infected, but “not with the usual banking malware.”

“The malware only changes the configuration of their computers then removes itself,” Sancho wrote, later adding that the “changes are small…but have big repercussions” for users.

“The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and [users] see no security warning,” Sancho said. After changing computer DNS settings, hackers then direct victims to spoofed banking websites, designed to appear like their own bank's site.

At the malicious page, users are directed to enter their credentials and install an app, which is actually Android malware, on their smartphone, he added.

“This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number. This means that the cyber criminal not only gets the victims' online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims' bank accounts,” Sancho said.

So far, criminals have targeted users in Switzerland, Austria, Sweden, and Japan, Trend Micro revealed. The group, believed to be located in a Russian-speaking country, was also linked to attacks dating back to 2011 – though, at that time, saboteurs were spreading “off-the-shelf” banking malware, like SpyEye, Sancho wrote.

In a Tuesday interview with, Tom Kellermann, chief cybersecurity officer at Trend Micro, added that the operation's most interesting attributes were its obfuscation techniques – where the malware deletes itself and hides itself in an image file, giving attackers “the capacity to maintain persistence,” Kellermann said.

Taking into consideration the evolving threat, banks should increase their verification processes for online or mobile users, and implement DMARC (domain-based message authentication, reporting and conformance), he added. In addition, financial institutions must begin to align their fraud detection systems with breach detection solutions, by investing in next generation systems, he continued.

Lastly, the financial industry must educate itself on threats by analyzing intelligence from the most advanced attacks, such as those emanating from groups in Russia and Romania, Kellermann said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.