TSPY_BANKER Banking Trojan Targets banks in South Korea

Security experts at Trend Micro detected a new banking trojan dubbed TSPY_BANKER.YYSI which uses Pinterest as command and control system.

According to researchers at Trend Micro once again, banks in South Korea are targeted by a new financial malware designed to target their customers.

The attackers have targeted customers of the principal financial institutions of the country, including Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, Kookmin Bank, and the Consumer Finance Service Center. TSPY_BANKER.YYSI is the name of the banking malware, which belongs to the BANKER malware family and is served through compromised websites that redirect the visitors to a domain that host the exploit kit.

The TSPY_BANKER.YYSI is able to redirect victims to the phishing pages only if they use Internet Explorer to access the banking sites, malware author are advantaged by a South Korean law that imposes Korean Intenet users to access online banking services and to make online purchases with Internet Explorer (used by nearly 75% of the Korean users).

Once infected the bank customer’s machine, the malware is able to monitor its online activities and hijack it to a phishing website when the user tries to access the targeted financial institutions.

“To deliver this threat to the user, legitimate sites are first compromised and an iframe tag is injected. This tag redirects users to a second compromised site which hosts an exploit kit, which delivers the banking Trojan to the user. We detect this as TSPY_BANKER.YYSI. Once this malware is present on an affected system, users who access certain banking websites using Internet Explorer are automatically redirected to a malicious site.” wrote Joseph C Chen (Fraud Researcher) at Trend Micro in a blog post.

The experts at Trend Micro discovered also that TSPY_BANKER.YYSI was also used to target a popular South Korean search engine. When Internet users visit the search engine website, they are presented with pop-up containing links to the websites of financial institutions that the malicious agent is able to control.

Another element of interest related to the TSPY_BANKER.YYSI malware it the organization of its command & control infrastructure that exploit the popular social media network Pinterest. The TSPY_BANKER.YYSI receives instructions from the attackers through comments posted on Pinterest, the messages appear incomprehensible to the user of the popular social network (i.e. command “104A149B245C120D” is simply decoded by replacing letters with a dot in the IP address “104.149.245.120” representative of the domain hosting the phishing page.

“This is normally done by contacting a C&C server, but in this case the attackers didn’t do that. Instead, they used the social networking site Pinterest. Cybercriminals can customize redirect victims to different fake servers using comments on certain Pinterest pins” continues the post.

The researchers discovered that attackers used exploits for two patched Internet Explorer vulnerabilities, CVE-2013-2551 and CVE-2014-0322, in order to spread the malware. The experts noticed also many similarities with the code of the  Sweet Orange exploit kit that is very popular in the criminal underground.

The attackers anyway used also other exploit kits, including Gongda that is able to exploit the Windows vulnerability CVE-2014-6332 patched recently by Microsoft.

Who is behind the attack?

It is very difficult to discover, anyway a few evidences suggest the involvement of Chinese attackers.

“The malware also communicates to various servers to the URL hxxp://{various IP addresses}:9000/tongji.html. (The word tongji is the Romanized form of the Chinese word for statistic.) The cybercriminals also used a Chinese web analytics/tracking service named 51yes.com to generate statistics both for the compromised websites and the C&C servers.”

Pierluigi Paganini

(Security Affairs –  TSPY_BANKER.YYSI banking trojan, Trend Micro)