Bangladesh central Bank Swift attack Rogue Trojan analysis

Chapter One Analysis Overview

The malicious Trojan sample is a PE file (name: Evtdiag.exe) running on the Winodws platform. The file size is 64KB and the compilation time is February 5, 2016.

After analysis, the sample was customized to attack the SWIFT client program's malicious Trojan program, did not do packers and code obfuscation, the main function is to interact with the local swift client software alliance. The Trojan runs as a Windows service, accessing configuration files and transaction files in the installation directory by traversing the SWIFT client Software Alliance to obtain alliance's important authorization profiles. By monitoring the sending and receiving messages of the Alliance software and printing the log export files, the attacker learns the operation flow of the Alliance software through monitoring log analysis. The Trojan can query and modify the data in the Oracle database, complete the relevant account information tampering, in order to allow the program to complete the forged transfer request. The malicious Trojan also accomplishes the elimination of traces through a series of technical means, such as turning off data checksum feedback when obtaining Oracle operation results, modifying the memory data in the Oracle connection process to bypass the Oracle data checksum, and obtaining account-related data information from the last deleted database.

As you can see, the attacker has full control of the swift client host, so the various commands are logged through the print log to perform the results and analyze them in depth. Trojan program writer has a professional background in financial knowledge, fully familiar with the operation of Swift Alliance process, in-depth understanding of the work of the software, even the database table structure and file network and other types of information formats, in addition to do a lot of anti-reconnaissance technology operations.

1.1 Analysis environment and methods

This analysis is based on the PE sample (name: Evtdiag.exe), the analysis environment is WinXP, the Static Code analysis tool is Ida, and the Dynamic debugging tool is ollydbg.

Chapter II Analysis of the sample Analysis process 2.1 starting mode

The malicious Trojan receives different startup parameters at startup to achieve different functions. The received parameters are-p,-G,-svc, resume, pause, on, off, queue, etc. As shown in 2-1. Where on, pause, resume, off, queue is the operation of logging functions, the-SVC parameter is to start the Trojan in Windows Service mode.

Figure 2-1 Start parameter analysis

As shown in 2-2, the-SVC parameter launches the Trojan program in Windows Service mode. The operation calls the Startservicectrldispatchera function to complete, the service is running with the name Evtsys.exe, and subsequent operations are performed after the service is started.

Figure 2-2 Starting with Windows Service mode

2.2 Enumerating Oracle connection processes, modifying memory data

The malicious Trojan runs, by enumerating the processes in the system, to find the process that loaded the Oracle Connection library Liboradb.dll, which is dependent on the SWIFT client Software Alliance interacting with the Oracle database. As shown in 2-3.

Figure 2-3 enumerating the processes that loaded the Liboradb.dll module

2-4, the Trojan file finds the process file loaded with the Liboradb.dll module, tampering with the key data in the module by modifying the memory. Based on some of the following operational behaviors, the data verification function in the module is tampered with to prevent the error in the process of revising the accounts.

Figure 2-4 Modifying memory data in an Oracle connection process

2.3 Turn on the Log printing function and enter the key processing function

Malicious Trojan turn on the log printing function sub_409460, easy to record each step of the data results in the operation, shown in 2-5. At the same time enter the key information stealing logic sub_409af0.

Figure 2-5 Turning on the log print recording function

such as 2-6 will enter the key to steal information processing logic sub_409af0, mentioned earlier, when the Trojan started as a service, it will perform this function.

Figure 2-6 sub_409af0 function processing logic

Figure 2-7 Start stealing information when service mode is started

2.4 Traversing the SWIFT Client Software Alliance catalog file

The malicious Trojan then traverses the installation directory of the SWIFT Client Software Alliance, stitching different directory paths, reading the alliance directory file, as shown in 2-8.

Figure 2-8 reading a directory file for the SWIFT client Software Alliance

Where it is inferred that the Gpca.dat file may be a critical configuration file for the Alliance software, it may save the information in the user transfer process and encrypt it. The Trojan code gets to the file after it has been effectively cracked. The crack algorithm is shown in 2-9.

Figure 2-9 Decryption algorithm for possible Pgca.cat file contents

If the Trojan is not read to Gpca.dat, it is recorded by the print log. The CFG fail record as shown in 2-10. It is inferred from this that Gpca.cat is a configuration file.

Figure 2-10 reading a directory file for the SWIFT client Software Alliance

In addition, the Alliance directory under the MCM directory is stored in and out two sub-folders, the Trojan to the two directories are traversed read, 2-11, and matching to find the. PRC and FAL files, and then read the file contents, 2-12. The initial inference is the corresponding directory at the time of transfer and transfer of Swift transfers, which holds the data log files that are transferred to or from the transfer.

Figure 2-11 Traversing alliance in and out directories

Figure 2-12 traversing a specific file in the in, out directory

2.5 operation of Oracle database, query, UPDATE, etc.

Through the Alliance software Operation Database, the Trojan program queries, tampering and deletes the Oracle database. At the same time, the related properties of Oracle are modified, the records of Alliance client software are cleared, and the data information of the query is exported to a file. The program finally executes a DELETE statement to delete the Oracle data record.

As shown in 2-13, the Trojan program turns data feedback and validation off by setting a series of SET commands. Then, by creating a Process execution SQL statement, each execution result is exported to a file, and alliance does not leave an action record.

Figure 2-13 Changing Oracle-related properties to mask data manipulation records

As shown in 2-14, the query result has a login field. Infer that the operation should be a query process for logon authorization information.

Figure 2-14 Querying account information for login

As shown in 2-15, the query statement has the Fin_ccy_amount field, which is inferred to be querying the account's amount information.

Figure 2-15 Querying account amount Information

As shown in 2-16, the UPDATE statement has the Fin_ccy_amount field, which is inferred to update the amount information of the tampered account.

Figure 2-16 Modifying account amount Information

As shown in 2-17, finally delete the database information through the DELETE statement, presumably is the transfer transaction after the end of the database records deleted to eliminate traces.

Figure 2-17 Deleting related information in the database

2.6 Monitoring the communication information of the SWIFT Client Software Alliance

After determining the configuration file path and file information, loop processing the communication information of the Alliance client software, that is, monitoring the information sent and received by the software, as shown in 2-18. Export the information logging log. It is speculated that an attacker could use the monitoring function to observe the Exchange message format during Swift communication, forge a request for transfer of a message, tamper with the database, and allow Swift to send a transfer transaction request according to a set designation, thus completing the attack process.

Figure 2-18 Monitoring the communication Information of Alliance Software

Chapter III Analysis and summary

The malicious Trojan sample is a PE file running on the Winodws platform. The file size is 64KB and the compilation time is February 5, 2016.

After analysis, the sample was customized to attack the SWIFT client program's malicious Trojan program, did not do packers and code obfuscation, the main function is to interact with the local swift client software alliance. The Trojan runs as a Windows service, accessing configuration files and transaction files in the installation directory by traversing the SWIFT client Software Alliance to obtain alliance's important authorization profiles. By monitoring the sending and receiving messages of the Alliance software and printing the log export files, the attacker learns the operation flow of the Alliance software through monitoring log analysis. The Trojan can query and modify the data in the Oracle database, complete the relevant account information tampering, in order to allow the program to complete the forged transfer request. The malicious Trojan also accomplishes the elimination of traces through a series of technical means, such as turning off data checksum feedback when obtaining Oracle operation results, modifying the memory data in the Oracle connection process to bypass the Oracle data checksum, and obtaining account-related data information from the last deleted database.

As you can see, the attacker has full control of the swift client host, so the various commands are logged through the print log to perform the results and analyze them in depth. Trojan program writer has a professional background in financial knowledge, fully familiar with the operation of Swift Alliance process, in-depth understanding of the work of the software, even the database table structure and file network and other types of information formats, in addition to do a lot of anti-reconnaissance technology operations.

Bangladesh central Bank Swift attack Rogue Trojan analysis (RPM)