Lastline Labs

Three interesting changes in malware activity over the past year

Posted by Dr. Christopher Kruegel on 3/31/16 5:00 AM

Every day, our Lastline sensors observe millions of files that our customers download from the Internet or receive as email attachments. These files are analyzed and, in many cases, executed or opened inside our sandbox. The sandbox is a secure, instrumented analysis environment where we can safely look for interesting behaviors that indicate bad intentions and outright malice. 

Every once in a while, we take a step back and look at the malicious behaviors that we have seen. Malware authors always look for new ways to make money, get access to sensitive data, and evade detection. They introduce new behaviors, refine ideas that they have tried in the past, and add tricks to bypass security controls. By looking over the data collected over the last year, we discovered a few interesting trends that show some of the directions that malware authors take. In this research note, we discuss three findings that struck us as interesting and worth reporting. As a forth bonus item, we also revisit evasive behaviors, something that we have been tracking for many years.

Read More

Topics: Evasive Malware, Bank Malware, Lastline Labs, Banking Trojan, Browser Modification, Code Signing

Carbanak Malware — Ninety Five Percent Exhibits Stealthy or Evasive Behaviors

Posted by Dr. Christopher Kruegel on 2/19/15 12:00 PM

We’ve talked a lot about the increasing sophistication of malware and the serious threats it poses. But it’s rare to be able to analyze malware that is evasive or stealthy and has already been deployed in the wild to carry out cybercrime without being detected by in-place security systems for months.

From the Security Analyst Summit in Cancun this week, Kaspersky Labs published a report detailing a bank heist purported to rake in as much as $1 billion since late 2013 from banks around the world using a series of sophisticated attacks that may still be underway.

According to Kaspersky, Carbanak malware was deployed to infiltrate banks, take over ATMs, adjust balances and transfer funds via remote access. To better understand how the malware used in these attacks evaded detection by traditional security technology for so long, we took a closer look at all of the 74 Carbanak malware samples available to us through VirusTotal (nearly 70% of those listed in the report).

Read More

Topics: Evasive Malware, Bank Malware, Carbanak, Kaspersky Labs

Analyzing a banking Trojan

Posted by Sebastian Poeplau on 4/17/14 6:00 AM

In our effort to detect threats to the users of Android devices, we analyze a lot of malicious apps. This post exemplifies the analysis of such malware, more specifically a banking Trojan that we came across recently. It pretends to generate one-time authentication codes for online banking, but its real purpose is to steal the users' banking credentials and to intercept incoming SMS (possibly containing Transaction Numbers). Also, it tries to evade analysis by checking its runtime environment.

We have seen different versions of the app, but this post is based on samples with SHA1 hashes e370ab3f1fbecfc77bdc238591d85882923ed37e and 698a1c5574fbe8ea1103619d81fdd4e8afa85bd5.

The user's perspective

Let's start with observing how the app under analysis presents itself to the user. It disguises itself as an app provided by the user's bank and pretends to help with the generation of one-time secrets for online banking. We have seen versions that target the Swiss ZKB and the Austrian Erste Bank. Note, however, that it will be easy for the malware's author to adapt the Trojan to other banks.

The app's login screen.

Read More

Topics: Android Security, Bank Malware

Subscribe to Email Updates