Financial Trojans: Tools for Espionage

Malware Variants Target Salesforce Users, Manufacturers
Financial Trojans: Tools for Espionage

Financial cybercrime Trojans, originally used to steal credentials from online banking users, are increasingly being used for espionage purposes.

See Also: Close the Case on Ransomware

For example, the Zeus Trojan variant known as Citadel has been seen in the wild targeting non-banking firms, including a petrochemical manufacturer, according to IBM's Trusteer security division. In addition, customer relationship management software vendor has identified a Dyre banking malware variant that's intercepting Salesforce users' credentials.

In light of these attacks, both financial services institutions and cloud vendors need to watch for credential-stealing attacks and work with customers to lock down attack vectors, for example, by implementing two-factor authentication.

Repurposing Web Injections

Adapting banking Trojans for espionage purposes isn't difficult, experts say. That's because many types of banking malware - including Zeus, Citadel, Shylock, SpyEye - are built to give attackers easy-to-use Web injection - or "man in the browser" - capabilities that allow the malware to hook into Windows processes. Many types of malware ship with Web injection capabilities pre-customized for a number of banks, while also allowing users to create their own customizations.

Malware that injects its own HTML into an otherwise legitimate Web page can be used to access raw data, as well as alter the user interface to hide what it's doing. Many such Trojans also include remote-control capabilities, plus the ability to extract stored website usernames and passwords; log keystrokes and capture screenshots or video; and steal digital certificates. If the malware can trick the browser into using an attacker-supplied certificate, furthermore, it means the malicious code can also eavesdrop on all communications, even if they're being secured using SSL.

Citadel Adapted for Espionage

IBM's Trusteer, which develops anti-fraud software used by a number of banks, warns that it's discovered a Citadel variant that's been tweaked for espionage purposes, and which is being used to target a number of organizations, including an unnamed chemical manufacturer.

"While the use of advanced malware that was originally built for financial theft as a generic advanced persistent threat tool is not new, this is the first time we've seen Citadel used to target nonfinancial organizations," says Dana Tamir, director of enterprise security at IBM's Trusteer, in a blog post. Trusteer has declined to name the victims - or confirm whether it could tell if the campaign was related to industrial espionage or nation-state spying. It says only that they victims include "one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials." Trusteer says it directly notified all of the fewer than 10 victims it identified.

Based on Trusteer's analysis, tweaking Citadel to spy on non-banking businesses didn't take much customization. "According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies," Tamir says. "Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user."

Because this type of "form grabbing" attack is happening in the browser, it allows the malware to grab the data being submitted - including usernames and passwords for corporate webmail accounts - before it gets encrypted. But Trusteer says it's not clear if the attackers directly targeted the petrochemical and other firms, or if they just happened to retrieve the valid credentials from PCs infected with the malware, as part of more widespread financial cybercrime activities.

Dyre Targets Salesforce Users

In another recent example of repurposed malware, recently announced it discovered a version of Dyre - a.k.a. Dyreza - malware, which normally targets banking customers, that appeared to be targeting users of the company's Salesforce SaaS application. The company notes, however, that the malware isn't exploiting any vulnerability in Salesforce.

Dyre has previously been seen targeting a number of banks, including Bank of America, JPMorgan Chase, NatWest and Royal Bank of Canada, according to Stop Malvertising. It includes the ability to bypass SSL and capture banking website credentials in plaintext format.

Using Dyre, however, attackers can also obtain legitimate Salesforce usernames and passwords, then use those to log into systems. As a result, recommends all users follow these four security practices for their instance of the software:

  • Restrict IP ranges so users can only log in from the corporate network or VPN;
  • Enable the two-factor SMS Identity Confirmation system, which uses an SMS to an employee's verified mobile phone number;
  • Use the two-factor authentication Salesforce# program on iOS or Android devices;
  • Employ SAML authentication to verify that log-ins are coming only from approved network devices.

New Version of Malware

The version of Dyre that raised Salesforce alarms is brand new, according to an in-depth analysis published by security firm Adallom. One notable feature built into the malware is its ability to use SSL to encrypt all of its command-and-control communications.

Adallom notes that Salesforce-related URLs aren't included in the Dyre configuration files it's found, which initially led it to believe that Salesforce users weren't being directly targeted, but rather having their log-in credentials captured by more generic data-capture rules in the malware. Digging a bit deeper, however, Adallom found that the C&C server was designed to redirect requests to "" and inject a customized JavaScript payload designed to capture user credentials and track related sessions.

Despite the Salesforce user attack capabilities, Adallom says this Dyre variant appears to be mostly focused on the commercial banking sector, based on the URLs included in the configuration file that was recently being pushed to infected PCs. "There are many banks herein, but if we look into the specific URLs being targeted, we can see a direct correlation to commercial banking," says Tomer Schwartz, director of security research at Adallom Labs, in a blog post. "This makes us believe that this is not the 'steal money from the average Joe' kind of attack; these guys are going for the big guns."

Notably, two of the URLs are for Wells Fargo's Commercial Electronic Office portal, which is designed to allow large businesses to access a variety of tools, including cash management and foreign exchange capabilities. But in the configuration list, "the login URLs for personal accounts and small business accounts are notably absent," Schwartz says.

Then again, the configuration files recovered by Adallom may be restricted to one targeted campaign being run against a particular large bank or set of large banks. Likewise, attackers could be seeking Salesforce log-in credentials tied to specific targets, albeit for unknown purposes. "This target configuration file is downloaded from the C&C servers ... so the attackers could potentially push different configurations to different victims," Schwartz says. "This is actually quite likely if Dyre is a generic malware that is used for different campaigns, but currently we don't have any knowledge of how these decisions are made by the attackers."

But the takeaway is that attackers are getting better at intercepting and employing valid credentials. Unless users take further steps to lock down these credentials, they're placing their businesses, and business accounts, at greater risk of being hacked.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.