Español | English
rss facebook linkedin Twitter

URLZONE reloaded?

S21sec´s ecrime department has detected a "new" banking malware, which appears to be based on the well-know "URLZONE" malware code that was first detected in 2009.  Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm) and ATS (Automated Transfer System) technology being used for fraudulent transactions.

We have confirmed that this malware appears to impact financial entities in a similar to other specific botnets of malware families like Tinba, Kins, Pykbot and Xswkit.  This means that they may be operated by the same criminal ring, using similar injects and hiring the ATS.

This botnet seems to only be targeting Spanish entities, though the use of this malware may end up targeting any other entity worldwide, following similar patterns of evolution to other malware.

In terms of its operation, It has been noted that, once infection has been carried out, HTML injection is used in real-time to cheat the infected user with social engineering, so the user is actually the one to perform the fraudulent transfer to a mule using an ATS system.

Communication to the control panel is achieved by "https", through azlib-compressed configuration update that is downloaded; it is this update that contains the rules definition.

Email is one of main distribution methods for this malware.  S21sec has, for example, found a sample written in Catalan and with a "" file attached. This is a compressed file that includes the malware.

S21sec will continue to provide updates on this botnet and any other botnet from this family.

S21sec ecrime.

Dridex, a year of online fraud

S21sec has played a key role in the effort to uncover the sophisticated Trojan, collaborating with international agencies such as the FBI, NCA, Spanish Guardia Civil and Europol.

Dridex malware is a Trojan with multiple functionalities. Its activity is mainly based on the theft of banking data from users through web sites or "web-injects". However, it has also been used for other and less obvious purposes. For example, stealing documents in sensitive sectors such as government networks, hospital environments, universities, legal services, copyright management entities and aeronautical companies.

With 195 countries affected and over 344,721 infected computers, based on data collected by S21sec, Dridex has focused mainly on UK (circa 115,000 infections), France (over 62,000 infections), U.S. (about 25,000 infections) and, latterly, Spain (just under 6,000 infections).

More information in the following infographic:

DYRE trojan targets Spain

Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure  and monetization capacity. Progress has been noticed in two differents  fronts:

  • Expand the botnet geographical area:  The binary spread is done through spam campaigns with malicious attachments. At first these were limited to English-speaking countries, but have expanded their reach. 
  • Incorporation of new banks: DYRE configuration is done via the usual file that lists the banks where the Trojan must act. As has been expanding the area of influence of the botnet, the list of entities has also experienced an increase, as shown in the following chart

On this growing dynamic was just a matter of time that Spain, so far outside the campaign, entered the list. The latest version of the configuration file was distributed a few days ago; it can be seen as at least five Spanish banks and others in Colombia, Chile and Venezuela have been included for the first time.

  The countries currently targeted by criminals are reflected in this map (Click to see the animated GIF):

While its behavior is similar to well-known Zeus, DYRE presents some interesting approaches to the fraud process deserve to be analyzed in an upcoming post :)

S21sec eCrime

ATS: Slave´s best friend

A few days ago we commented in this blog the discovery of the Slave Trojan. A new malware differentiated by their webinjects in JSON format. In this post we will dissect the automatic transfer system (ATS) that works together with Slave , which is configured to target certain banks.
 The ATS injected by Slave is simple in its operation but very effective at the same time; in our research we were able to analyze the script code executed in the browser of the victim. This is designed in a modular way allowing adaptation to different "sites" of online banking in a quick and easily way. At the time of analysis, the ATS concerned three banks with different injects for each type of access (companies or individuals). New entities were also found, although they had not a presence at the Slave config, seemed to be ready for activation in the near future.

To identify the online banking page where the user is located, the script makes use of different techniques such as inspecting the current URL or search for specific items in the website´s DOM.
According to the website where the user is located, the scritp is able to perform different actions. The websites that have a code larger than 100 it corresponds to the longin forms, which depending on the bank may be 1 or 2 different matches. In these pages the script collects the user credentials and stores them in the sessionStorage browser. If the entity ask for more digits than for some digits of a second password, the script is able to recognize the requested digits and send the mask of that pass. However, for its operation the ATS does not need to steal credentials and the only action performed with them is send to the C & C, possibly for a manual review. This behavior allows to deduce that his priority is not to make the catch, but to modify transfers on real-time, as discussed below.

If user credentials are captured correctly, the script starts executing the following actions on the rest of the web:

  • Action 1 (landing page), it simply sends the user data and password to log. Depending on the bank, this action can be ignored. 
  • Action 2 (accounts info), looking for information on user accounts, extracts data and sends to the C & C in the following format:
               Owner Name * Account Number * Balance * - * |
  • Acción 3 (new transfer), It is responsible for changing the legitimate transfer for redirecting the money to a money mule instead of the original recipient. Before performing, various checks are done, including if the account has enough funds and a fraudulent transfer isn´t already made. If the victim passes these checks, a money mule is request to the C&C.

ATS´s answer to this request includes the new reciver of the transaction and the amount to send. With this information, the script falsifies the transfer, showing the data wich the user espects to see and sen the false data to the bank . ATS´s response to this request includes personal details from the new recipient of the transaction and the amount sent. With this information, the script tampers the transfer, showing the user the data expected to see (the transfer believed performed) and sending to the bank illegitimate.
On this way is the user who makes the verification steps. Either introducing card values coordinates, the PIN sent to the mobile or any other TAN factor.

Additionally, when illegitimate transfer has been made, the fixBalance?() function is executed at all sites where the account balance appears. This function changes the value of the balance displayed to hide the theft. This functionality of the Trojan is even sessions persistent, so while the user is infected fraudulent transfer and the actual balance will be completely undetectable on banking´s website.

Regarding the communication script - C&C, although it was not possible to replicate this process, a preliminary analysis showed the following conclusions:
  • To contact the C & C, the script uses JSONP, depending on the injection can load the jQuery library to make requests.
  • In all of them a field "key" that is hardcoded in the binary itself and necessary for communication is added.
  • Beyond this check and the SSL layer, communications script C&C do not appear to include any other kind of encryption or obfuscation.
Finally these are the MD5 identifying the samples analyzed:


New Ransomware in Mobile environment

It is widely known the new malware trend, which has caused several problems in the last year: the infamous Ransomware (Cryptowall, Cryptolocker and its derivatives). 

Although we have seen samples in the mobile environment (Koler), it was not common to find traditional spam with such malicious applications, until now. 

In a generic spam e-mail we received days ago included a suspicious attachment named “Check Updates.apk” probably pretending to be a Flash Player update.

At first glance the application is far from being a software update, just by reviewing the images and HTML documents embedded.

These documents, that are going to be presented to the victim as a part of the scam process, follow the common scheme, in this case the scam is as follows: The FBI has detected, through the PRISM platform, that the user has browsed forbidden web pages and must pay a fine.

The app installation is pretty simple and after open it a video player menu will be displayed. (That is obviously fraudulent)

After seconds, the disclaimer window will pop up, stitched to the screen, avoiding the end user to close it or use other apps.

This message, unlike Koler’s ones, always remains the same, no matter where the end user is located. Here are some screenshot taken during this step:

Once the mobile device is locked and the ransom requested, the next step is the purchase and charge (500$) of a PayPal MyCash card in order to provide the card number to the botmaster using the app panel as we can see on the image above.

The app is pretty simple in a technical point of view. Requiring a high amount of privileges and using the platform features as a normal app (it does not use exploits or require root privileges). These are the main features:

  • The ransom disclaimer window is generated as a system alert, shown over other applications or windows.
  • The crypto system used is AES, using the standard library. The key and salt used are always the same (PBKDF2WithHmacSHA1):
  • Although the cipher and uncipher code is complete, there is no evidence on the Labs test performed, that the app really ciphers the external drive storage (target: /sdcard/Android/).
  • The app uses a third party library named Volley for the connections management.
  • To fright the end user some personal information is shown like: browser bookmarks, end user’s photo (taken from the front camera) and geo location based on the device IP.
  • The main functionalities are:
  1. SMS and contacts delivery to malicious server
  2. Incoming SMS capture
  3. SMS delivery through the device
  4. Cipher/Uncipher external SD storage
  5. Device lock and unlock
  • SMS Spread: The malicious server sends an SMS template to the device in order to send an SMS with the APK URL to the whole contact list (this was also observed in recent Koler samples)

Control Panel

The Control Panel URL is hardcoded in the bot code. Once the URL is resolved, is periodically queried to get new commands (using HTTP and JSON answers)

GET /pha?android_version=4.1.2&id=xxxxxxxxxx&phone_number=xxxxxxxxx&client_version=1.03&imei=xxxxxxxxxxxxxxxx&name=sdk

During the bot register, a SMS template and Geo location will be also received, as explained before

{"sms_template": "OMG!!! Guess who's on a video here, you will not believe it!!!  hxxp://"}

{"city": "Madrid", "ip": "", "lon": yy.yyy, "lat": zz.zzz, "country_code": "ES", "country_name": "Spain"}

The server will also implement a backdoor access in order to control and query the bot.
This server contains a “app-download” website (similar to a third party market) which also serves the fake application.

Conclusion and Countermeasures 

The ransomware “boom” starts finding new distribution ways. Despite of being pretty simple apps, they get their objective of extorting the end user. Methods used are very social engineering oriented, but new functionalities are added constantly (SMS capture, spreading)

As a counter measure, it is recommended to keep the “install from untrusted sources” disabled and filter out emails with .apk attachments.

If the malicious application is already installed, we can proceed cleaning the machine by “adb unsintall” (it requires USB active debugging) or rebooting the system in safe mode in order to delete it later on.

New banking trojan 'Slave' hitting Polish Banks

We have spotted a new banking trojan in the wild that uses JSON formatted webinjects. After that so many Zeus-like webinjects around, this was kind of refreshing. Currently this banker only have targets in Poland. We are analyzing injects, as they are capable of using ATS.

The malware has a time check which prevents it from running after 1 of April 2015. Don't get fooled, the botmaster probably would issue an update command before that could happen, but this can render useless already "captured" samples that are circulating on the internet between researchers.

There are indications that the author used chromium source code to build the malware, hence we dubbed it "Slave":

One of the original filenames was Faktura V_388_02_20_2015.doc.scr, which pretty much sounds like if it was distributed via spam.

Some hashes:

If possible, we will show how ATS is working for this injection in an update.

For further info, please contact us: blog [at]

S21sec Ecrime


On October 2014, an investigation from the international police organization Interpol alerted of a new type of banking malware, called Tyupkin, that allowed criminals to gain full control of ATM machines, allowing them to steal huge amounts of money in cash without having to use a credit or debit card (see our blog post).

Far from being an isolated case, recent events show a boost on ATM targeted malware attacks, with a variety of attack vectors all sharing a common target, stealing huge amounts of cash directly from the bank, leaving their customers apart.

The hottest topic to date is the Carbanak APT (also known as Anunak), a sophisticated cyberattack affecting financial institutions in more than 30 countries with cumulative losses of up to 1 billion USD.

The attack vector consisted in compromising the victim’s network, by means of spear phishing emails that downloaded the malicious code which was later propagated to critical systems.

Having infected key users, attackers spied them to get detailed knowledge of internal working tools and procedures, to enable them to mimic their activities to perform fraudulent actions while remaining unnoticed by the bank’s fraud detection systems.

Although the criminals pursued multiple routes, one of the relevant targets was the control of the Automated Teller Machines (ATM) network.

ATM Network Control with Carbanak

Once the Carbanak APT successfully compromised the victim´s network, the attackers managed to gain access to the ATM management infrastructure and infect those systems with their own malicious software.

Although there might be more attack techniques not yet discovered, evidences of the following ATM targeted malware attacks have been found:
  1. Change Denomination of Withdrawal Banknotes
  2. The ATM was manipulated to modify the banknote denominations, allowing mules to withdraw more money than actually registered in the transaction.
    The attackers uploaded malicious scripts and modified the ATM operating system registry to change denominations of issued banknotes. As a result, a transaction for 10 notes with denomination of 100 roubles gave the attackers 10 notes with denomination of 5,000 roubles.

  1. Remote Withdrawal of Cash from Dispenser
The ATM network was used to dispense cash from certain ATMs at certain times where money mules were ready to collect it.

The attackers used a modified debug program that accepts commands to issue money from the dispenser. The original program only works when the ATM door is opened, but the tampered one ignored it.

The criminals were able to control computers that had access to the internal ATM network, using them to remotely issue cash withdrawal commands.

Based on these evidences we can say that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers. APTs are not only for stealing information anymore.

ATM Targeted Malware vs Lack of Security Measures

Malware attacks are one of the biggest concerns in ATM fraud since they are far less risky and much more profitable than traditional skimming or physical attacks.

The criminals are extremely agile and innovative in producing new types of malware to launch direct APT-like attacks against banks, but they are also helped by the very poor security of ATMs, still running old-fashioned Microsoft systems, and the weaknesses in the ATM infrastructure.

Every ATM is exposed to malware attacks and therefore applying strong security countermeasures is a must. An integrated security solution based on Application Whitelisting, Full Disk Encryption, HW Protection and File Protection, provides the most advanced and most effective countermeasure capability to stop this new generation of attacks.

In the case of the above mentioned attacks, Application Whitelisting would have avoided to run the script to change the banknote denominations, while File Protection would have prevented the attackers from replacing the ATM debug program binary.

S21sec Approach to ATM  Security

S21sec has extensive expertise in the development of solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager helps to protect ATM networks from logical attacks by restricting its usage to only authorized hardware or processes, monitoring ATM activity, and allowing to execute remote actions.

S21sec also provides specialized and advanced security services for financial organizations.
We are members of ATMIA and ATEFI industry associations.


Juan Ramón Aramendía 
Lookwise Product Marketing Manager

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved