Attack Vectors Behind Online Banking Malware "DreamBot" Targets Japan
16 OCT 2017 | Warning Alert
Although the damage caused by the WannaCry ransomware has been reported worldwide, in Japan, the attack campaign of the internet banking malware called "DreamBot" is still ongoing.
In March 2017, even though the Japan Cyber Crime Prevention Center announced a warning about DreamBot, the attack campaign has continued and as of May 2017, we have detected broadcast type of emails in Japanese several times a week spreading the DreamBot infection.
Figure 1 shows an example of a broadcast type of email in Japanese received on May 15 and 18. Both of the attached files were compressed in zip format and the contents of the zip files were executable files (DreamBot) and a "js file" embedded in the word document would download DreamBot from an unauthorized site.
This time, I tried to investigate the attacker group spreading DreamBot by using a broadcasting email in Japanese
*Regarding the large-scale cyberattack ransomware "WannaCry" I have summarized it here, so please use this as a reference on threat overview and measures that need to be taken by your organization.
Ransomware 「WannaCry」 Countermeasure Guide rev.1(Japanese)
About DreamBot
DreamBot is a malware that extends the functions of Ursnif (Alias: Gozi) and it is mainly targeting financial institutions to steal authentication information in internet banking. There are many codes that are similar to Ursnif. Speaking of Ursnif, it was 2016 when it was rampant in Japan so it's still fresh in memory. Ursnif is being upgraded every passing day and functions are also being upgraded and revised. When 2017 came in, Ursnif had a function which downloads the Tor module (*1) from an external site, and then communicates to the C2 (command server) via the Tor module. This Ursnif with the Tor module came to be known as DreamBot. As far as we have investigated, the Tor function has been added from version 216896, so we believe it became DreamBot from this version onwards.
Figure 2 shows the comparison between Version 216896 (DreamBot) with the Tor function and version 216887 (Ursnif) which is considered to be the previous version. In version 216896, check the character strings boxed in red such as the Tor Client or the .onion.
Possibility of two attacker groups behind the scene
From investigating DreamBot, we found several common features among those being spread in Japan.
DreamBot uses Serpent encryption and RSA encryption, etc. to communicate with the C2 server and to configure for web injection in order to target banking organizations.
From there, as we analyzed the DreamBot being spread in Japan, we focused on the encryption key (Serpent key) used in the Serpent encryption. That's how we saw the possibility that there may be two attacker groups after we confirmed that there are two types of Serpent keys being used.
Please take note that according to Trend Micro's blog post "Analysis of DreamBot, A New Threat Targeting Domestic Internet Banking" it suggests the possibility that there are two attacker groups based on the fact that there are differences in the mail transmission infrastructure and the targeted banking organizations.
On Figure 3, using Maltego, based on the Serpent Keys, we summarized the relationship between them by mapping the Group ID, the C2 in the Tor network and the mail transmission infrastructure information. As for the Group ID, it seems that each attacker group uses different Group IDs in order for attackers to manage the targets.
Looking at the Group IDs boxed in red, such as 1083, 1084, 10844, we can see some grouping patterns and as the numbers increase, we can confirm that the DreamBot version is being upgraded. The following describes the characteristics of the attacker groups that use each Serpent key.
1. Serpent Key "0WADGyh7SUCs1i2V"
The attacker using this Serpent key is the attacker group that spread Ursnif until mid-November 2016 by using the URLZone (aka: Shiotob/Bebloh) as downloader, as mentioned in the article "Attached Malware in Broadcast Mail in Japanese". (*2)
The DreamBot (Version 216912) that spread around mid-February 2017 has not been confirmed. We believe that this group sends email transmission from a Cutwail botnet infrastructure.
2. Serpent Key "s4Sc9mDb35Ayj8oO"
This is a group that spread Ursnif via an Exploit Kit around July 2016. Currently, many DreamBots that spread broadcast mail in Japanese has this Serpent Key and as of May 18, 2017, the latest version of this Serpent key is 216943.
In addition, we could confirm that this group's infrastructure for sending mails varies depending on the Group ID
As shown in Figure 3, the Group ID 1050 sends mail from a Cutwail infrastructure while the other four IDs sent mail without using Cutwail.
As far as our understanding is concerned, even though the above two groups are targeting Japan, we tried to expand our horizon outside Japan with focus on the DreamBot, and we are checking if there are several other Serpent Keys that exist.
Aside from the group of attackers targeting Japan, as announced at the Botconf 2016, we have introduced in the "ISFB" document regarding the Serpent key CERT.PL.
How to avoid damage from DreamBot
Considering the infections from Ursnif attack campaigns last year, attacks have been taking place for a long time. This means that users suffering from attacks are not few and there is a possibility that attackers can get information from infected terminals in Japan.
As far as what we have confirmed, by checking the configuration files for web injection used in recent attacks, aside from banking organizations and credit card companies, it seems that the target range has been gradually widening including shopping sites and search engine sites.
We have reason to believe that the spreading of broadcast type of mail attacks in Japanese using DreamBot will continue. Although these are just basic security measures, in order not to suffer damages from DreamBot:
- Always keep all software up to date such as Windows OS, Office products, Web browsers, etc.
- Install anti-virus software and always keep the pattern files up-to-date
- Do not open any suspicious email attachments and URLs
Please reconfirm if these measures are being implemented and if in case they are not, we recommend that they are carried out.
IOC information (Indicator Of Compromise) Download
IOC information (Indicator Of Compromise) PDF version(232KB)
*1 In case the Tor module is not downloaded from the C2, just like the Ursnif, it uses HTTP communication to perform C2 communication.
*2 Ever since Dec 2016, we have not seen any attacks using URLZone. We may consider the possibility that when the Takedown strategy (Op. Avalanche) was introduced in Dec 2016, the URLZone has become unavailable.