Apache malware targeting online banking
Posted on 19.12.2012
Analysis of a malicious Apache module, detected by ESET as Linux/Chapro.A, found that the world's most widely used web server, Apache, is being used to carry out these attacks, injecting malicious content into web pages served by an infected Linux server, without the knowledge of the website owner.


Although the malware can serve practically any type of content, in this specific case it installs a variant of Win32/Zbot, malware designed to steal information from online banking customers. While this particular version of Win32/Zbot targets European and Russian banking institutions, Linux/Chapro.A could eventually be used to mount attacks on American banks.

"The attack described in the present analysis shows the increased complexity of malware attacks," said Pierre-Marc Bureau, ESET security intelligence program manager. "This complicated case spreads across three different countries, targeting users from a fourth one, and making it very hard for law enforcement agencies to investigate and mitigate its effects."

The malicious module has a couple of interesting capabilities used to reduce its chances of being spotted by system administrators, like setting cookies on the victim's machine and hiding from web browsers in which it might produce an error. ESET researchers first discovered Linux/Chapro.A in November. The exploit was first blocked by ESET through generic detection, even before the link was added to the URL blacklist. At the time of the analysis, the malicious command and control server was being hosted in Germany, but has recently gone offline.

Based on ESET's analysis, the iframe injected by Linux/Chapro.A points to a "Sweet Orange" exploit pack landing page.

"At the time of our analysis, the exploit pack was being hosted in Lithuania. The pack tries to exploit several vulnerabilities found in modern web browsers and plugins," said Bureau. "Our investigation reveals, the final purpose of the attack is to install a variant of Win32/Zbot, also known as ZeuS. For many years, ZeuS has been widely used to steal banking related information."

Once the user has logged into his account, the malware will inject a pop-up asking for the user's CVV code. The malware will then try to send the user credentials along with the CVV to the botnet operator. While the ESET research team has not witnessed any other installations of Linux/Chapro.A in the wild, it has observed thousands of users accessing the "Sweet Orange" exploit pack.





Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //