Tuesday, January 12, 2016

Tinba malware Analysis (part I)

Threat actors are always evolving and changing their Tactics, Tools and Procedures (TTP). A current example of this is the evolution in terms of malware used by the threat actors behind Retefe / Emmental.
In this blog I posted several posts( http://blog.angelalonso.es/search/label/operationemmental) with the analysis of Retefe / Emmental malware from different perspectives. Here I mentioned there are two components in the infection chain: a windows malware and a malicious APK. Now, they are still using this multi-malware technique, but there are several changes worth to mention. 

This time the malware they are using for the Windows infection is a very well know bank malware: Tinba.
I got an example yesterday and I wanted to take a brief look about what is this malware doing in general terms. Worth to note that by the time I got  the malware only 3 Antivirus detected the specimen, which means the infection rate is likely very high.

In the beginning I can see the malware is performing several tasks, like for example creating a copy of itself and killing the parent process.

After that, the new process creates a 'explorer.exe' process to looks like a normal process (PID 3508).

"1:25:54.3573320 PM","file.exe","3652","Process Create","C:\Windows\SysWOW64\explorer.exe","SUCCESS","PID: 3508, Command line: explorer","3664"

Later on, one of the threads of that explorer process (Thread 3700) is in charge of injecting threads  in several core processes of the system:

"1:25:55.4411267 PM","taskhost.exe","1380","Thread Create","","SUCCESS","Thread ID: 3080","3700"
"1:25:55.4412113 PM","Dwm.exe","2620","Thread Create","","SUCCESS","Thread ID: 3628","3700"
"1:25:55.4413015 PM","Explorer.EXE","2524","Thread Create","","SUCCESS","Thread ID: 2324","3700"
"1:25:55.4413891 PM","Bootcamp.exe","2388","Thread Create","","SUCCESS","Thread ID: 3176","3700"
"1:25:55.4414673 PM","vmtoolsd.exe","2440","Thread Create","","SUCCESS","Thread ID: 784","3700"
"1:25:55.4415535 PM","GWX.exe","796","Thread Create","","SUCCESS","Thread ID: 1668","3700"
"1:25:55.4416071 PM","Wireshark.exe","3436","Thread Create","","SUCCESS","Thread ID: 2904","3700"
"1:25:55.4416922 PM","dumpcap.exe","2720","Thread Create","","SUCCESS","Thread ID: 4044","3700"
"1:25:55.4417617 PM","conhost.exe","2572","Thread Create","","SUCCESS","Thread ID: 3820","3700"
"1:25:55.4419328 PM","DllHost.exe","3040","Thread Create","","SUCCESS","Thread ID: 3688","3700"
"1:25:55.4420515 PM","file.exe","3652","Thread Create","","SUCCESS","Thread ID: 3768","3700"

"1:25:55.4421823 PM","explorer.exe","3508","Thread Create","","SUCCESS","Thread ID: 3772","3700"

However, the interesting thing which I am going to take a look is the thread injection to the Internet explorer process happening.

As I have Wireshark running I can analyse the traffic sent by the compromised host, and I am very interesting to see what happens when I visit one of the victim banks.

While browsing to the ebanking web everything looks normal, however, there is a moment just before trying to log in in the bank account, when I see a suspicious DNS request to trakofed.net

After the DNS has resolved to the IP there is a HTTPS communication to that IP and this exactly when the injection in the browser has been done.

In the infected host, I can see there injected page, which links to the malicious APK.  

In the host I see the HTTPS connection established to the bad site, which deliver the bad content to the victim.

The malware they were using in the past, used to change the proxy setup in order to redirect the traffic to a proxy controlled by the bad guys, so a simple inspection in the browser connection settings will be enough to discover it. However, this injection method is totally transparent to the user and there is not any strange behaviour that can be easily spot.

On the other hand, the APK file to be downloaded has changed as well and there are new things on this as well. I will analyse the changes in the APK in future posts.