New .NET banking malware (VBKlip) was aimed at Polish online banking users. This new version is written in .NET and has a few new ideas which seem to result in the fact that none of the three samples we were able to obtain were detected by any of the antivirus solutions present on VirusTotal.
VBKlip is a new kind of malware, which, due to its simplicity and previously unknown behavior makes it a serious threat. It is more difficult to detect by any network IDS/IPS systems, because it simply does not create any traffic to the C&C. This threat is directed at Polish users.
It contains hardcoded Polish bank account numbers and we were not able to obtain any foreign sample. Additionally, no antivirus detectability makes it even harder to fight with VBKlip. On the other hand, no persistence means that you simply can restart your computer and get rid of the unwanted behavior.
Next, it uses the Microsoft.VisualBasic.MyServices.ClipboardProxy class in order to manipulate the content of the Windows Clipboard.
Every second it compares the contents of clipboard to two Visual Basic regular expressions: ########################## or ## #### #### #### #### #### ####. This is a standard format of Bank Account Numbers used in Poland.
If the content matches any of these regular expressions, it is substituted with another bank account number which is simply hardcoded in the application itself. This is the whole functionality of this malware.
This has a very interesting impact. None of the antivirus products, that were available on VirusTotal when the samples were obtained, detected this malware.
Not even a false positive from any of the over 45 different antivirus solutions. Links to the reports are provided below.
https://www.virustotal.com/en/file/744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7/analysis/1389270408
https://www.virustotal.com/en/file/0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0/analysis/1389337563
https://www.virustotal.com/en/file/db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653/analysis/1389270408
Source:: https://www.cert.pl
VBKlip is a new kind of malware, which, due to its simplicity and previously unknown behavior makes it a serious threat. It is more difficult to detect by any network IDS/IPS systems, because it simply does not create any traffic to the C&C. This threat is directed at Polish users.
It contains hardcoded Polish bank account numbers and we were not able to obtain any foreign sample. Additionally, no antivirus detectability makes it even harder to fight with VBKlip. On the other hand, no persistence means that you simply can restart your computer and get rid of the unwanted behavior.
Next, it uses the Microsoft.VisualBasic.MyServices.ClipboardProxy class in order to manipulate the content of the Windows Clipboard.
Every second it compares the contents of clipboard to two Visual Basic regular expressions: ########################## or ## #### #### #### #### #### ####. This is a standard format of Bank Account Numbers used in Poland.
If the content matches any of these regular expressions, it is substituted with another bank account number which is simply hardcoded in the application itself. This is the whole functionality of this malware.
This has a very interesting impact. None of the antivirus products, that were available on VirusTotal when the samples were obtained, detected this malware.
Not even a false positive from any of the over 45 different antivirus solutions. Links to the reports are provided below.
https://www.virustotal.com/en/file/744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7/analysis/1389270408
https://www.virustotal.com/en/file/0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0/analysis/1389337563
https://www.virustotal.com/en/file/db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653/analysis/1389270408
Source:: https://www.cert.pl
No comments:
Post a Comment