We were analyzing an interesting piece of malware today which is a recent mutation of the yaludle/silentbanker trojan with rootkit capabilities.
This rootkit is typically installed via drive-by downloads.
It targets financial institutions worldwide (with a focus on US, Germany, Spain, Australia) and as the silentbanker versions before, it can successfully cicrumvent Two-Factor-Authentication, which is why quite a few banks with 2FA solutions are targeted.
The trojan operates in two modes:
- completely silent (this is typically for banks with just username/password) and just “uploads” the collected information in real-time in an encrypted way to a malicious host
- it introduces dynamically (in real-time) malicious HTML elements into the banks website to collect additional information. This malicious HTML elements appear within the bank’s site, so nobody (not even security experts) can spot anything suspicious.
As we would have expected, virtually no Antivirus Engines were detecting this Rootkit (1/36, 2.78%, http://www.virustotal.com/analisis/756098da62febc1ae372f947e2b62184)
This is the original citibank site when someone tries to login with a wrong username/password (so no yaludle/silentbanker here) (click the image for bigger picture)
This is the citibank site in exactly the same scenario, this time yaludle/silentbanker is active. (Note the yellow padlock and the correct URL!!!) (click the image for bigger picture)
How to detect this Rootkit
This rootkit creates the following registry key and thus can be detected if this key is present
wave1 = "<RANDOM>1.CPX"
Also the <RANDOM>1.CPX file is present in the C:WINDOWSSYSTEMS32 directory.
All TrustDefender users (most notably all of our enterprise customers) are protected as TrustDefender’s Secure Lockdown will make sure that no personal information will leave the computer as it will only allow internet requests to the banks website.
Also all TrustDefender users are also protected for all banks who are part of our Financial Trust Network (see http://www.trustdefender.com/lang-en/support-portal/knowledge-base/knowledge-base-article?id=50120000000DB0q)
please contact us at firstname.lastname@example.org if you want to know if your financial institution is affected or you need more information.