JAPAN—Malicious code targeting consumer banking data has infiltrated more than 90 of Japan's most popular porn sites in addition to several banks and hosting companies, according to security firm ESET, which released its findings via a blog post today.
"Win32/Aibatook, which targets Japanese users’ banking information and hosting providers’ account credentials... appeared at the end of 2013 and a previous version has already been documented by Symantec, which has even sinkholed some of Win32/Aibatook’s C&C servers," the post stated. "Far from being discouraged, the operators have since published an updated version and moved from Delphi to C++ as their programming language. This post will focus on this new strain, which came out in April 2014 and has some interesting quirks:
"*Propagation of the malware is made through a custom exploitation chain placed on compromised websites
"*It only targets Internet Explorer, using an unusual technique to steal personal information
"*Two different implementations of the information-stealing logic are deployed; the first one is specifically tailored against two major Japanese banks, whereas the second one is more flexible and currently used to target around 90 Japanese websites"
The firm added, "As expected, the majority of the identified targets belong to the banking domain, but some of them are hosting companies, which could explain how legitimate websites are compromised and then used in the exploitation chain. It should be noted that the majority of the identified targets are important businesses in Japan."
Regarding the propagation methods used by the Aibook miscreants, ESET outlines the effectiveness of their single-minded targeting, explaining, "The Win32/Aibatook bank fraud malware’s story starts, as usual nowadays, with legitimate websites that have been compromised to redirect their visitors to exploit-serving machines in order to infect them with malicious software. But rather than using a full-fledged exploit kit – such as Fiesta, Angler or any other of the usual suspects, which are able to serve different exploits depending on the visitor’s configuration – the miscreants behind Win32/Aibatook infections employ only one exploit at a time. While it could appear to be a non-optimal strategy, it is actually coherent with the targeted nature of this whole operation. If you possess an efficient exploit against your target – Japanese bank customers in this case – why would you bother using more?"
As explained by The Register, "The malware relies on exploiting a Java security flaw that was patched more than a year ago to push Aibatook onto the machines of Windows PCs. More specifically users visiting compromised sites, are redirected towards an exploit page that attempts to take advantage of Java vulnerability (CVE-2013-2465) patched in June 2013. Attacks involved displaying an 404 error page to mask the fact that the PC is silently running a malicious Java applet.
"The whole attack," it adds, "relies on a single Java exploit rather than the standard approach of planting an exploit kit on a compromised websites. Exploit kits attempt to exploit a raft of common browser and other application software vulnerabilities (Adobe Flash, Java etc) to drop malware onto PCs that are not up to date with their patches."
While ESET appears to have a handle on the current technique that "implements two different information stealers, one specifically tailored against a few major Japanese banks, and a second one targeting around 90 different websites," the firm expressed concern about future exploits, warning, "Based on our observations during this investigation, Win32/Aibatook has been constantly developed over the past few months. We believe that this malware family is now ready for take-off, and we expect its authors to spread it more broadly in the near future."
