Pierluigi Paganini May 17, 2013

Group-IB researchers have detected a new botnet named Kangoo that infected more than 150 000 machines mainly targeting Australian banks.

Group-IB researchers have detected a new botnet named Kangoo that infected more than 150 000 machines, specialists dubbed it «Kangoo» due the presence of  a kangaroo logo on the WEB-interface of the C&C administrative panel. The botnet mainly targeted Australian banking with an emphasis on online-banking theft, customers of the leading AUS banks, such as Commonwealth Bank, Bank of Queensland, Bendigo and Adelaide Bank and ANZ, were affected.

According to the information provided by Group-IB, ANZ and Bank of Queensland reacted on the fraud alert immediately and the specialists from Group-IB shared with them information extracted from the botnet with the details of compromised customers, following some data collected by Group-IB Bot-Trek system.

Who is responsible for the banking theft? Is it the bank’s fault?

One of the most important issues currently facing  the bank is the incident response related to banking trojan infections of its customers, the procedure is still quite complicated, many banks prefer to notify the infected customer  and ask for online-banking credential reset.  Unfortunately this practice is absolutely not efficient because the malware is often still present in the victim’s PC and could capture a new credential a second time and forward to a controlled server.

 «The bank can suggest to the customer that their PC may be infected, but it is not their prerogative to insist the customer clean any possible malware” – said Dan Clements, Group-IB US Managing Partner.

What to do if your customers were infected?

«We recommend the banks to create an incident response action plan as well as to develop a customer awareness program with practical recommendations, what they need to do if they were notified by the bank that their banking account was compromised and their computer may be infected by the banking malware» – said Andrey Komarov, the Head of international Project, CERT-GIB CTO.

Previously, Group-IB has published a recommendation paper with action plan helping the Russian banks to gather all the most important digital evidences from the compromised PC. Reinstalling of the OS may not help, due the use of so called «bootkits» in modern banking malware which infect the MBR (Master Boot Record), such as Carberp 2 and new types of TLD, and affect BIOS. The presence of an antivirus product helps but not represents a complete solution, the majority of new banking trojans can not be detected by AV because the implementation of AV avoidance techniques.

Most common evasion techniques make use of stolen digital certificates from trusted partners, various obfuscators, encryption and new kernel levels of security solutions bypass, and in same rare cases the exploiting of OS vulnerabilities.

Group-IB recommends for the banking fraud and cybercrime analysis departments to proceed with the following steps:

1. To block the compromised customer from online-banking access and to change his credentials. Account block will help to prevent the potential theft during the incident response actions and investigation procedure.
2. To contact the compromised customer by phone and explain him the reason why his credentials are invalid right now and why they were changed by the bank.  It is important to not use the e-mail, because of the cybercriminals may have the access to it and the banking Trojan can make graphical screenshots from the infected PC to intercept the customer’s actions, which tips off the cybercriminals and makes an investigation more difficult.
3. To use another reserve PC, which is not infected, or to reinstall OS. The infected PC may be provided to the computer forensics laboratory or LEA with the bank’s help for further investigation. Some big banks have own computer forensic laboratories, some use third parties expert companies, which can help to create an image of the infected PC and then to research it in order to create necessary digital evidences for the reporting such as:

• Extracted malware sample for further analysis, it’s time of installation on the system, the source of installation;
• C&C used to send intercepted data from the infected PC.

Sometimes, such kinds of reports are widely used by an LEA and courts for successful cybercriminal prosecution, as today the legislation in cybercrime field is still quite weak, unfortunately, cyber criminals often go unpunished.

In many cases the customer request the support of experts specialized in computer forensics to produce such kind of expertise for the court after online-banking theft, the client requests to recover stolen funds from the bank side but it is a complicated dispute as well. Banks use flexible customer agreements that sometimes clearly declare that the banks have no responsibility for the customer’s safety and security against unauthorized access to his PC, malware and other cyber threat are considered a customer’s side event and due this reason out of Bank control.

Another possible approach is passive, no response action follows the alert or the incident, the bank can just receive the information about compromised customer and then to monitor it’s activity until suspicious transfer will be created (can be characterized by new transfer destination, suspicious amount and time of the transfer; IP and PC details are useless, as the most part of modern online-banking thefts are going from the same IP of infected customer through remote administration by VNC spawning techniques or patched RDP for multiple remote connections from the hacker’s side). Such approach is very efficient during cybercrime chain investigations, when it is important to get information about all the personalities involved in it such as “money mules”, botmaster and ISP that is maintaining it, of course the approach takes some efforts from the bank’s side.

Are there any «money mules» in Australia? Yes!

«Money Mule» services have increased during the period 2010-2012,  the following picture shows that the majority of money mules services of AUS work on sharing margin (fifty-fifty).

 Following the translation:

«Good day. We provide drops in Australia, for 2k and 5k transfers. We make drops by unique methodologies, use only own “projects” for it, and don’t use public solutions. All employees are passing special instruction and control. You will obtain special access to specialized system for controlling them. Work 50/50, costs on cashout are not included. The first contact – in PM.»

Group-IB experts found that blackmarket of banking theft for Australian banks is very well developed nowadays and can become one of the key targets for modern cybercriminals in 2013-2015

Рic. 3 –

Translation:

«Need money mules in AU. Will transfer any amounts. 50% – my share from the transferred amount. Private message.»

One of the reasons Australia is a target is a favorable  time zone for Eastern European cyber criminals to facilitate bank transfers.

Perspective of customer’s security

Even though a customer can execute any malicious program, which may compromise their online bank account, the bank is more or less in a partnership with its clients on the financial accounts, sharing some liability. It is in the banks best interest to insure programs and policies that keep the customer happy and retain its loyalty.

“We were really impressed with the time frame of ANZ Bank reaction. A specialized cybercrime analysis representative official responded immediately, and we have provided all the necessary information about the compromised customer credentials with IPs”, said Andrey Komarov of Group-IB.  “It seems the ANZ bank understands the value of getting all of their customers compromised information today, as opposed to moving slowly where more financial losses can affect the bottom line of both the customer and the bank.”

In the specific Kangoo case the investigation suggests that the botnet owners possibly locate CIS countries (former USSR) and use several WEB-injects methods for hidden automatic hijacking of the transfer’s destination.

WEB-injects is the main weapon of modern cyber criminals, which helps them to make a huge profit without any handy work. The market of WEB-injects nowadays is quite impressive.

In the above picture http://westpac.com.au personal and business online-banking accounts grabber based on WEB-inject and virtual keyboard interceptor.

The pricing on it is different and starts from 50$ to 500$, depending on the quality of WEB-inject. Some of it is traded in private communities where the programmer will receive % from all successful thefts. Many of the injects are developed for the well-known banking Trojans such as Citadel, Carberp and Zeus, as well as for quite private malware such as Andromeda.

Commonwealth Bank, Teachers Mutual Bank, DefenceBank, WestPac, Suncorp, BankWest, NAB – cybercriminals developed WEB-injects for the most famous banks in AUS

Group-IB is cooperating with the banks on this issue, as the cybercriminals are not still arrested, and the investigation is in the progress. The C&C and the personalities involved in the crime were detected and shared with the banks on a confidential basis for collaboration with Australian LEA. All the compromised data and customers IPs for finding botnets were imported into Group-IB Bot-Trek for further investigation and cyber intelligence sharing.

Pierluigi Paganini

(Security Affairs – Botnet)