Categories: Cyber CrimeMalware

How were stolen 36M euro with Eurograbber malware

Zeus, a name that security experts know very well, it’s one of the most prolific and dangerous malware of the history. In the years several versions have been detected, it’s one of the first malware for which it has been applied an excellent business model that made possible its evolution in cybercrime, unique constant is the monetization process based on the exploit of bank accounts.

Last version detected of Zeus botnet has been successful in the theft of about $47 million from European banking customers in the past year according revelation of security experts from Check Point and Versafe that discovered a sophisticated offensive.

The researcheres discovered a multi-dimensional and targeted attack, named “Eurograbber”, that stole an estimated 36+ million Euros from more than 30,000 bank customers from multiple banks across Europe. The attacks were originated in Italy and rapidly spread to other countries of UE such as Spain, Germany and Holland.

The attack described in a report released by the security vendors was based on the diffusion of a malware, directed at PCs and mobile devices, that is able to defeat the two-factor authentication process implemented by banks by intercepting bank messages sent to victims’ phones.

The attacks have exploited Android and Blackberry OSs confirming the great interest of cybercrime in the use of new channels, such as mobile and social media,  to spread cyber threats. The malware has been designed to attack wide audience infecting both corporate and private banking users and illicitly transfer funds out of customers’ accounts in amounts ranging from 500 to 250,000 Euros each.

The schema of attacks is usual, the victim clicks on a malicious link received via an email as part of a phishing attempt,  installing customized variants of the Zeus, SpyEye, and CarBerp Trojans. Infection could also  happens either during internet browsing or clicking on a link inside a social network.

During first visit to bank web site the malware intercepts the dialogue requesting to the user to enter a valid mobile phone number for authentication purpose and to validate successive transactions.  Eurograbber would offer a “banking software security upgrade” that would infect victims’ phones with the mobile version of Zeus, ZITMo (Zeus in the mobile”)  that is equipped with a function to intercept the bank’s sms message that include bank’s transaction authorization number (TAN).

In the following picture is proposed the SMS message (Italian ver.) sent to an Italian customer’s mobile device that contains a malicious link to the upgrade for the online banking security software. Clicking on this link user installs the Eurograbber Trojan on the his mobile device.

“Simultaneous with the SMS being sent to the bank customer’s mobile device, the following message appears on the customer’s desktop instructing them to follow the instructions in the SMS sent to their mobile device in order to upgrade the system software to improve security”

To improve security of the operations, banking implemented a 2-factor authentication mechanism validating identity of the clients and the integrity of transactions with introduction of a special code. When the bank customer starts an online banking transaction, the bank sends a TAN via SMS to the customer’s mobile device. The customer then confirms and completes operation entering the TAN code in the online form proposed by banking service.

Once capture the TAN number the malicious code is able to steal funds from victim’s bank account. The collections of infected machines is managed by an efficient Command & Control (C&C) server infrastructure described in the report:

“In order to facilitate such a sophisticated, multi-stage attack, a Command & Control (C&C) server infrastructure had to be created. This infrastructure received, stored and managed the information sent by the Trojans and also orchestrated the attacks. The gathered information was stored in an SQL database for later use during an attack. In order to avoid detection, the attackers used several different domain names and servers, some of which were proxy servers to further complicate detection. If detected, the attackers could easily and quickly replace their infrastructure thus ensuring the integrity of their attack infrastructure, and ensuring the continuity of their operation and illicit money flow.”

 

To date, this schema of attacks have been reported only for European institurions but it could potentially affect banks all over the wolrd.

The attack demonstrates that not only desktop PCs have to be protected by security systems but also mobile needs countermeasures to mitigate cyber threats, report states:

“To best protect against attacks like Eurograbber, online banking customers need to ensure they have the most current protection in two areas – on the network that provides them internet access to their bank and on the computer they use to conduct online banking.”

Pierluigi Paganini

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.