This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales.
On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.
In this new, aggressive campaign we see a return of the Bankshot implant, which last appeared in 2017. Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations.
Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.
the Further investigation into this campaign and analysis of McAfee product telemetry shows that the infection occurred on March 2 and 3. The implant’s first target was a major government-controlled financial organization. It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.
Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.
The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The author of this document is test-pc. It was created February 26 and was submitted from the Netherlands. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io.
We discovered two more documents, written in Korean, that exploit the same vulnerability as Agreement.docx. These documents appear to be part of the same campaign and may have been used on different targets. These documents also communicated with falcancoin.io to install Bankshot and also contain themes around cryptocurrency security.
Two Flash files exploit CVE-2018-4878.
- 843c17b06a3aee22447f021307909890b68828b9 (February 25)
- 343ebca579bb888eb8ccb811f9b52280c72e484c (February 25
The implants are downloaded via a Flash file embedded in the malicious document. They are executed when the victim views the document.
The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code.
The sample (a2e966edee45b30bb6bb5c978e55833eec169098) is a Windows DLL that serves as a backdoor and contains a variety of capabilities. The malicious DLL is not a service DLL because it lacks ServiceMain(). To mask itself, it can run as a regular library loaded into a legitimate process.
The malware begins by creating a new thread from the DllMain() function to carry out its malicious activities:
The malware performs the following activities:
- Builds imports by dynamically loading APIs
- Decrypts strings needed for control server communications
- Performs control server communications
- Handles commands issued by the control server
- Uninstalls self from the system
The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress(). APIs from the following libraries are loaded at runtime:
Based on packet capture analysis of previous implants from 2017, the following strings are used in control server communications:
- Connection: keep-alive
- Cache-Control: max-age=0
- Accept: */*
- Content-Type: multipart/form-data; boundary=
- Content-Type: application/octet-stream
- Accept-Encoding: gzip,deflate,sdch
- Accept-Language: ko-KR -> Korean
- Content-Disposition: form-data;name=”board_id”
- Content-Disposition: form-data;name=”user_id”
- Content-Disposition: form-data;name=”file1″; filename=”img01_29.jpg”
- Content-Disposition: form-data;name=”file1″; filename=”my.doc”
- Content-Disposition: form-data;name=”file1″; filename=”pratice.pdf”
- Content-Disposition: form-data;name=”file1″; filename=”king.jpg”
- Content-Disposition: form-data;name=”file1″; filename=”dream.avi”
- Content-Disposition: form-data;name=”file1″; filename=”hp01.avi”
- Content-Disposition: form-data;name=”file1″; filename=”star.avi”
The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary:
Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36
Control Server Communications
The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data, such as:
Content-Disposition: form-data; name="board_id"
Content-Disposition: form-data; name="user_id"
Content-Disposition: form-data; name="file1"; filename="king.jpg"
- board_id is a four-digit number that may be an identifier for a campaign ID. Based on analysis of previous samples, this is a unique identifier.
- user_id is a hardcoded value in the malware binary that is sent to the control server. The username appears to be attacker specified and has occurred in 2017 Bankshot samples. This links the previous samples with this unique username.
- filename is based on static analysis. This looks like a specific beacon to indicate that the malware is ready to receive commands.
The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands:
- Commands received from the control server are encoded DWORDs
- After decoding, these DWORDs should be in the range 123459h to 123490h
Based on the responses received from the control server, the malware can carry out the following malicious tasks:
- Recursively generate a list of files in a directory and send to the control server
- Terminate a specific process. The process is identified by the control server sending the PID to the malware.
- Gather network addresses and operating system version
- Execute arbitrary commands using “cmd.exe /c”
- Create processes
- Write responses from the control server to a file
- Send information for all drives
- Write data sent by the control server to a temporary file matching the file path pattern %temp%\DWS00*
- Change the time of a file as specified by the control server
- Create a process by impersonating a logged-on user
- Gather the process time for all processes
- Gather domain and account names based on all running processes
- Read a specified file’s contents and send the data to the control server
- Write data sent by the control server to an existing file
- Mark a file to be deleted on reboot
- Overwrite a file with all zeros and mark it for deletion on reboot
- Delete files using the DeleteFile() API
- Load an arbitrary library into its process space. This may be used to load additional downloaded components of the attack.
After every action is performed the malware sends a response to the control server indicating whether the action was successful.
The US government reports that Bankshot is used by Hidden Cobra to target multiple industries including financial organizations. This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector. The implant does not conduct financial transactions; rather it is a channel into the victim’s environment, in which further stages of implants can be deployed for financial reconnaissance. The Bankshot implant was also observed in 2017 in documents appearing to come from Latin American banks.
These connections, combined with the implant’s nearly identical appearance to known variants, are a strong indication that we have uncovered a Hidden Cobra attack. Further, previous implants from 2017 contained bogus documents with financially themed content.
We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries). In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim’s systems.
The campaign has a high chance of success against victims who have an unpatched version of Flash. Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal. This is the first time that Bankshot has been tied directly to financial-related hacking and the first time it has been used since November 2017.
McAfee detects these threats as:
- RDN/Generic Exploit
- Generic PWS.y
McAfee customers are also covered by McAfee Global Threat Intelligence Web Reputation classification, which rate these URLs as High Risk.
Indicators of Compromise
MITRE ATT&CK techniques
- Exfiltration over command and control channel
- Commonly used port
- Command-line interface
- Service execution
- Automated collection
- Data from local system
- Process discovery
- System time discovery
- Credential dumping
- Exploitation of vulnerability
- Process injection
- File deletion