Upwards of 30 major U.S. banks and financial institutions have been given a reprieve. The hacker behind a coordinated attack against giants such as Bank of America, Chase, Citibank, PNC, Wells Fargo and nearly two dozen other banks has called off the operation after media reports surfaced a month ago exposing the planned attacks.
Known as vorVzakone, the Russian has pulled back on his attempt to recruit 100 botmasters for massive man-in-the-middle attacks against American banks. Security blog Krebs on Security named vorVzakone as the mastermind behind the wire-fraud campaign.
“Based on a communication posted following the media hype, vorVzakone has since given up on his attack plans for now,” said Daniel Cohen, head of business development for online threats managed services at RSA. “As a result, he has retreated to the deeper Web where we believe he may regroup and plan his attack albeit more secretly.”
The scheme centered around an obscure piece of crimeware known as Gozi-Prinimalka, an offshoot of the Gozi banking Trojan. The Trojan drops an executable and a data file that transmits details about a compromised machine to a command-and-control server. The attacker will be able to clone a victim’s computer and using a new virtual machine syncing module and a trove of stolen data, access an online bank account using the genuine IP address of the victim.
VorVzakone was recruiting up to 100 participants for the attack, initially planned for the first week of November. RSA FraudAction research team member Mor Ahuvia told Threatpost in October that this was the first time a private cybercrime organization recruited outsiders for such an attack. The attackers were promised a cut for their efforts, and were only to be given executable files by vorVzakone, keeping the recruits dependent on him for updates.
RSA’s Cohen said they have not seen any developments in the malware since it was initially monitored. As for the recruits; they’re on the unemployment line.
“Since his above mentioned post, members of the original team have also been seen posting on ‘classified’ boards offering their services (now that they are jobless),” Cohen said. “It is yet to be seen whether this attack will eventually launch.”
RSA speculated that American banks were specifically targeted because customers are not required to use two-factor authentication as they are in many countries in Europe, for example. Many of these same banks were under fire in September from distributed denial of service attacks taking down many online services. Some of these DDoS attacks were firing between 70 and 100 Gbps of traffic at bank sites, causing intermittent interruptions of services. No data was compromised, the banks said.
Researchers at Trend Micro, meanwhile, analyzed samples of Gozi-Prinimalka. They said a backdoor, BKDR_URSNIF.B, collects data and filters for banking information such as strings of information that look like account numbers or the names of banks. Another backdoor, BKDR_URSNIF.DN, looks for a particular registry entry, and if found, drops a Trojan JS_URSNIF.DJ. This one also monitors for particular banking and financial sites, Trend Micro said.
The malware activates once a victim visits a banking site and collects their log-in credentials and sends it to one of several command and control servers.
Trend also said that TDBank, Firstrade and Optionsxpress were targeted in the Trojan’s configuration files and subject to man in the browser attacks.
“Not only can regular online accounts by end users be targeted by these attacks, but also corporate and business accounts by small-medium businesses and even those by large enterprises,” researcher Ivan Macalintal said.
Trend Micro, through its analysis of the Trojan’s configuration files, was able to identify 26 banks targeted in the Gozi-Prinimalka campaign. RSA, meanwhile, established a relationship between this new malware and Gozi by observing that both Trojans use the same bot-to-server communication pattern and URL trigger list.
Gozi-Prinimalka’s botmasters use the virtual syncing module to duplicate a victim’s machine, down to the time zone, screen resolution, browser type and other pertinent browsing information. The attacker can use this data to impersonate the victim, and potentially clean out bank accounts.