God Horses are Floating Clouds: The Story of a Chinese Banker Trojan

By Dong YanIn China these days, e-commerce has become an important part of daily life, especially among young people. According to a report from CNNIC (China Internet Network Information Center), the number of Chinese e-commerce users reached 242 million at the end of the December 2012. This is nearly half of all Chinese internet users.

Dong Yan

In China these days, e-commerce has become an important part of daily life, especially among young people. According to a report from CNNIC (China Internet Network Information Center), the number of Chinese e-commerce users reached 242 million at the end of the December 2012. This is nearly half of all Chinese internet users.Because of this, many Chinese cyber-criminals changed their business from stealing QQ numbers or virtual assets in online games to stealing money during the online trading. In October, People’s Daily, the official newspaper of the Communist Party of China, reported that a group of cybercriminals were arrested in connection with a Trojan targeting the e-commerce users. The Trojan, detected by Kaspersky Lab as trojan-Banker.Win32.Bancyn.a, was named ‘Floating Cloud’, and was used to steal several millions of dollars from e-commerce users.

The name ‘Floating Cloud’, ‘浮云’ in Chinese, comes from a very popular saying among Chinese internet users ‘神马都是浮云’. The direct translation is ‘God horses are always floating clouds’, which means everything flows away in haste like floating clouds. But here, the floating cloud is not a God horse but a Trojan horse. And the ‘Floating Cloud’ was written in EAZY programming language in which programs can be written totally in Chinese.

To distribute the Trojan, cyber-criminals often masquerade as sellers. When the customer/target asks for information about the merchandise, they send a zip archive with the names like ‘detail information’ which purports to contain a few pictures depicting the merchandise. But among these pictures, there is an executable file with the icon of image files. If the customer wants to take a look at this ‘picture’ file and double clicks it, the Trojan will run.

When the ‘floating cloud’ Trojan runs, it firstly creates the directories:

C:WINDOWSsystem32GroupPolicy

and

C:WINDOWSsystem32GroupPolicyMachine

And creates files:

CWINDOWSSYSTEM32GROUPPOLICYGPT.INI

and

C:WINDOWSsystem32GroupPolicyMachineRegistry.pol

These two files are related to the Group Policy of the Windows operating system. For security reasons, administrators can make software restriction policies to forbid programs from running. But here, this feature is used by the Trojan to fight against security software.

From the above screenshot, we can see that some dll files from the anti-virus software of Kingsoft, 360Safe and Tencent are listed in the software restriction policy file and blocked from loading.

Then the Trojan creates a process to execute the command line “gpupdate /force” to refresh the Group Policy and thus enable the rules specified in the policy file.

To record the installation statistics of the Trojan, it sends the infected user’s computer information to the address:
“http://**.corsgate.com//Install/Post.asp?Uid=3f000300-ad3f3eb3-0723b0f0-3136e3ae” in which “3f000300-ad3f3eb3-0723b0f0-3136e3ae” is the ID used to identify the cyber-criminal who planted the Trojan.

The Trojan then monitors the current window to see if it is the Internet Explorer browser and if the address is one from the following online banking addresses:

ebank.spdb.com.cn/payment/main

ebanks.cgbchina.com.cn/payment

ebank.gdb.com.cn/payment

www.cebbank.com/per/

ebank.cmbc.com.cn/weblogic

ebank.sdb.com.cn/perbank

netpay.pingan.com.cn/peps

ebs.boc.cn/BocnetClient

ebs.boc.cn/BocnetClient/PreLoginPGW.do

ebs.boc.cn/BocnetClient/EpaymentOrderConfirm.do

If yes, the Trojan gets the IHTMLDocument2 interface by sending an WM_HTML_GETOBJECT message to the Internet Explorer window.

Once the Trojan gets this IHTMLDocument2 interface, it can get the source code of the web page and modify it at will.

The Trojan then parses the source code to find the location of the amount of money and the receiving account.

Once the modified web page is submitted, the victim’s money is directly deposited into the attacker’s account. The Trojan may also trick the victim into thinking that the payment failed because of internet connection errors so that the user will try to pay many times, which leads to even much bigger losses.

The criminal group behind the Trojan is very interesting. There are about 60 people in the group and each of them has different a role; programming the Trojan, obfuscation of the Trojan to bypass anti-virus protection, planting the Trojan and money laundering, which forms a whole value chain of underground cyber-crime. The group is so well organized that its members cooperated harmoniously although they were distributed in 32 different cities in China, from Heilongjiang province in North to Hainan province in South.

The cyber-criminals behind the ‘Float Cloud’ Trojan were arrested in April, 2012. After receiving the report of the operation, the policemen in Xuzhou cooperated with law enforcement in Weihai and caught two members of the group. After the interrogation, all the cyber-criminals in the whole value chain and their different roles became clear. In all, 58 suspects were caught and finally 41 of them were arrested. Catching these cybercriminals was really not an easy job. In order to hide their identities and escape from tracking down, their real personal information were never used, their accounts were different from time to time and their locations were also changed frequently.

Anyway, as the Chinese say “The slyest fox can’t escape the skilled hunter.” Members of ‘Floating Cloud’ group were arrested, but the war against this kind of cyber-crime activity is far from over.

*Dong Yan is is a Kaspersky Lab security expert

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.