The financial malware landscape is constantly evolving, cybercriminals are becoming more knowledgeable about the financial sector, and attacks are becoming more sophisticated. We’ve recently released a report, “The World of Financial Trojans,” describing the different features and techniques used by banking malware. It would seem that the choices made by the malware authors concerning these techniques and features depend on the cybercriminals’ financial resources and market knowledge.
In most cases financial malware favors exploit kits as their infection vector. In the past few months we have been actively monitoring an exploit kit, called Gongda, which is mainly targeting South Korea. Interestingly, we have come across a piece of malware, known as Castov, being delivered by this exploit kit that targets specific South Korean financial companies and their customers. The cybercriminals in this case have done their research on the South Korean online financial landscape.
Figure 1. Heatmap of Gongda IPS detections for May 2013 (98% of hits are in South Korea)
The initial stage of this threat is Downloader.Castov and is compiled in Delphi with the ability to stop antivrius software which, once inside a computer, will report the infection to its command-and-control (C&C) server and download an encrypted file that is the second stage.
The second stage is Infostealer.Castov. The infostealer checks at specific offsets in a list of clean DLLs (all related to Korean online banking software and security) for opcode instructions and then patches those instructions. The injected code checks strings that appear to be passwords, account details, and transactions. Once the data is found and collected, it will be sent to a remote server.
Table 1. Targeted DLLs and actions taken
Additionally, the infostealer collects the digital certificates stored in the compromised computer’s NPKI directory (%ProgramFiles%\NPKI). Those digital certificates are widely used in South Korea and are issued for financial general purposes (individual/corporate) such as banking, credit card, insurance etc. They are unique to each user and are valid for one year.
The combination of screenshots, passwords, and digital certificates will allow the cybercriminals to access users’ financial accounts.
Figure 2. Heatmap of Castov antivirus detection from January to May 2013
Symantec has the following protection in place for both Castov and Gongda:
Intrusion prevention protection:
To ensure the best protection, we recommend you use the latest Symantec Technologies and up to date antivirus definitions.