KL-Remote toolkit allows criminals to easily hack online banking accounts

Researchers at IBM Trusteer discovered a new toolkit dubbed KL-Remote that allows criminals to run Remote Overlay Attacks without specific skills.

It is even more simple for cyber criminals to arrange scams and conduct illegal activities thanks the offer in the cyber criminal ecosystem, for example KL-Remote is a newborn toolkit that could be used to compromise online banking accounts by accessing them directly from victims’ machine without raising too much suspicion.

The KL-Remote toolkit was discovered by IBM Trusteer, researchers discovered it digging into the Brazilian hacking underground, which is very popular to offer product and services specifically for online banking frauds. Unlike other financial malware, KL-Remote requires manual intervention, for its distributions threat actors rely on other malicious codes that allow to drop it on the victim machine.

Once installed on the target machine, the KL-Remote toolkit monitors the user’s online activities waiting for the access to websites of certain banks and financial institutions. If the victim accesses a website of interest, the toolkit notifies it to its operator and send back also information on the victim’s device, including operating system, IP address, processor, and connection speed.

“Toolkits such as KL-Remote — which package a preconfigured fraud flow in a user-friendly GUI — greatly expand the pool of people who can commit banking fraud. With the toolkit, a criminal with basic technical skills can perform high-end fraud attacks that can circumvent strong authentication. Furthermore, the ability to embed the toolkit in types of common malware greatly increases its availability and reach,”

“The KL-Remote toolkit has a list of predefined targeted bank URLs. Once a user of an infected computer navigates to a targeted online banking website, the malware operator is alerted. The alert includes details on the infected computer, such as its operating system, processor and IP address.” reports Trusteer in a blog post.

The toolkit includes a very user-friendly banking fraud console that allows the operator to run various activities in order to steal victim’ credentials and take over its account.

The interface includes features for running attacks on both Personal and Business Banking accounts, it allows to remotely control keyboard and mouse and for presenting victims with various messages that instruct victims to provide valuable information or to perform actions that help the operator to extend its control over the bank account.

KL-Remote is very useful to run remote overlay attacks by circumventing traditional fraud controls, including Two-Factor Authentication mechanism.

“The toolkit lets the criminal present the victim with a pop-up asking for two-factor authentication (2FA), such as tokens or one-time passwords received out-of-band. Some types of 2FA require a physical element such as a USB authentication key. Since the attack is carried out from the victim’s computer while the victim is browsing the legitimate banking website, the victim is likely to have the USB key plugged in at the time of the attack.” states the post.

Once the attacker has collected all the necessary information to access the victim’s online banking account, KL-Remote displays a new message instructing him to wait until the operation is completed.

To avoid that the victim noticed the operator’ actions, the toolkit proposes a screenshot on the screen. KL-Remote is very insidious because it could be used by a skilled operator to bypass any traditional anti-fraud mechanisms by obtaining the information from the victim without raising suspects.

How to prevent Remote Overlay Attacks?

On the client side, it is important to prevent infections while on the server side it is necessary to put in place detection measures that search for anomalous activities.

“In order to prevent the overlay attacks, endpoint protection must be able to prevent the remote access tool from being installed (by detecting and preventing the malware infection) and prevent the browsing of a banking website from a remote-controlled computer.” states the post.

“The key to accurately detecting remote overlay attacks on the server side lies in gathering evidence on the full life cycle of the fraud event, such as the following:

• Evidence of a malware infection;
• Unusual browsing patterns, which would result from the victim being redirected by the KL-Remote toolkit operator;
• Evidence of the use of remote access tools to log in to a banking website;
• Unusual transactional activity.”

Pierluigi Paganini

(Security Affairs –  KL-Remote, cybercrime)