Operación Emmental David Sancho FTR team 5/11/14 Copyright 2014 Trend Micro Inc.

The Way In… 5/11/14 Copyright 2014 Trend Micro Inc. 2

The Way In… 5/11/14 Copyright 2014 Trend Micro Inc. 3

La entrada First things first, the infection vector we have identified is email. The attackers send spam campaigns localized in the language of the potential victims using brand names that are very identifiable to the people from these countries and in their local language. Screenshot is from an attack directed to people from Switzerland. 5/11/14 Copyright 2014 Trend Micro Inc. 4

One of the innovative social engineering techniques used in this attack is the use of RTF files with the trojan embedded. RTF files are text files so at first glance they might seem innocuous. Microsoft allows for OLE objects to be embedded into them though. The picture shows one such file as used in the attack. Note how Windows uses Wordpad to open these and the user needs to double-click on the trojan, which is disguised as a receipt from the Swiss online shop shown earlier. Also, instead of a regular EXE file, it’s a control panel extension (for more info on these, check the Trend Micro paper on CPL threats). 5/11/14 Copyright 2014 Trend Micro Inc. 5

Upon infection, the trojan just changes the DNS configuration and adds a new certificate in the machine. This means that the trojan is not persistent. It will never run again and therefore we can consider the machine uninfected. If the trojan was not detected immediately by the AV software, it will never have a second chance ever again. [The picture of the cert store is there to convey the sense of how difficult to spot this thing is. It’s impossible to tell it apart] 5/11/14 Copyright 2014 Trend Micro Inc. 6

When the user tries to access his or her online bank, the DNS redirection points them to a malicious server instead. This is very similar to how rove digital had established a rogue DNS server network to redirect hijack advertisements. In this case, the redirections affects only certain online banks in certain countries. This is much more devious and at the same time much more difficult to spot, since the potential victims are much fewer. A infected computer from a different country would never notice any difference at all. Note how the domain name in the screenshot is the real one. The user could end up there by clicking on a real link from google, using a previous browser bookmark or even by typing the name manually. At this point, the attack is a sophisticated case of phishing (i.e: impersonating an online bank web page) 5/11/14 Copyright 2014 Trend Micro Inc. 7

At this point in the attack, the supposed bank page is trying to social-engineer the user into installing an android app to enhance the security of the transaction. The page requires the user to install the app that is supposed to generate unique token as two-factor authentication. The screenshot shows the QR code for this android installation. It also asks for the token generated by this – supposedly secure – android app. 5/11/14 Copyright 2014 Trend Micro Inc. 8

Once the user installs the android app, it generates this token that can be input into the page to continue the banking transaction. Remember that the user is only dealing with the fake banking page so no real transaction is taking place. All this is just theather to distract the user with what is really happening. 5/11/14 Copyright 2014 Trend Micro Inc. 9

Pero qué ocurre en realidad? All this is like a magic trick. The attackers are an illusion to distract the user from what it’s really happening… 5/11/14 Copyright 2014 Trend Micro Inc. 10

The attackers have managed to dupe the victim into installing a rogue android app on the victim’s smartphone AND they convinced the victim to disclose the login details (username and password). Next, they will try to log into the bank. When the real bank site sends an SMS, the rogue app will forward the token to the attackers and hide this from the victim. This will provide the attackers with all they need to perform banking transactions impersonating the victim: username, password and SMS token. 5/11/14 Copyright 2014 Trend Micro Inc. 11

Infraestructura Servidores Hosting Servidores DNS Servidores C&C Troyano Windows Troyano Android Receptor SMS 5/11/14 Copyright 2014 Trend Micro Inc.

Dominios hxxp://security-apps.net/Raiffeisen.apk hxxp://security-apps.biz/Raiffeisen.apk hxxp://tc-zo.ch/security/ZKB.apk 5/11/14 Copyright 2014 Trend Micro Inc.

Oleg Makarov oleg_makarov555@yahoo.com Quién registró esto? This is very likely a fake name. It’s still good info for us to see what the people behind this operation have been up to 5/11/14 Copyright 2014 Trend Micro Inc. 14

Más cosas de Oleg safe-browser.biz safe-time.net security-apps.biz banking-security.net certificate-security.com chromeupd.pw ffupdate.pw ieupdate.pw safe-browser.biz safe-time.net security-apps.biz security-apps.net sfotware.pw softwareup.pw All of these domains have been used for scams and malware-related social engineering. We don’t have further leads at this time as to who might be behind it. 5/11/14 Copyright 2014 Trend Micro Inc. 15

Obnilim rid In the source of the android app, we could find a string “obnilim rid” that could be translated in Russia slang as “set to zero”. We believe the authors are Russian speakers. Due to the decentralized structure of modern cybercrime, this does not necessarily means that Operation Emmental is Russian but whoever is behind, does have connections in the Russian underground. 5/11/14 Copyright 2014 Trend Micro Inc. 16

Our own intelligence gives us hints as to where this threat is coming from. We have seen these domains have been checked repeatedly from IPs from Romania. This possibly means that the owners of Operation Emmental rely on Romanian network operators. The whole thing clearly traces back to Eastern Europe but we cannot be more specific than that. 5/11/14 Copyright 2014 Trend Micro Inc. 17

Copyright 2014 Trend Micro Inc. 5/11/14 Copyright 2014 Trend Micro Inc. 18

Gracias! 19