Hesperbot - new banking trojan detected in-the-wild

In mid-August, we discovered a malware distribution campaign that targeted the Czech Republic. It caught our attention because malware files were distributed through URLs that very much resembled the addresses of the Czech Post Office. Further analysis of the files showed that we are dealing with banking malware, which is similar in its capabilities to Zeus and SpyEye, but differs from the already known families in the technical implementation of its capabilities.

The new Trojan was named Win32 / Spy.Hesperbot and is a powerful tool for stealing online banking data. Hesperbot has the following features:

  • interception of network traffic and HTML injections;
  • keylogger;
  • create screenshots of the desktop;
  • video capture;
  • creating a remote proxy connection;
  • creating a hidden VNC server.

In our collection, there were several more earlier versions of this trojan that we found as Win32 / Agent.UXO .

The purpose of the attackers is to obtain the credentials that users use to log into their account online banking system. In addition, the malicious code convinces the user to install their mobile component on a phone running Symbian, Blackberry or Android.

The Czech campaign for the distribution of this malware began on August 8, 2013. For this, the attackers registered the domain ceskaposta.net, which resembles the website of the Czech postal service with the address ceskaposta.cz.

Fig. Date the domain was created.

Fig. File compilation date.

The domain was registered on August 7 this year, and the first Hesperbot samples that were distributed in the Czech Republic were compiled on the morning of August 8 and later captured by our LiveGrid system.

In addition to the URL, which is very similar to the Czech postal service, the attackers used the subject content of the letters in order to be more convincing. The letter contained information from the postal service about the status of the allegedly sent letter. The names of the files themselves had corresponding names, for example, zasilka.pdf.exe. The word "zasilka" is translated from Czech as "letter". In the message, the attackers used the address ceskaposta.net, disguising it as a legitimate ceskaposta.cz.

Fig. Report of the Czech postal service about a scam.

Despite the fact that the Czech campaign attracted our attention, Turkey was the country most affected by the activities of this banking trojan. Hesperbot samples from Turkey were compiled earlier than August 8th. The last peak of botnet activity was detected in Turkey in July 2013, in addition, older samples date back to April 2013. Some samples of the Trojan program send debugging information to the C&C command server, so attackers tried to run intermediate versions of it and checked their functionality.

The campaign, which was carried out by attackers in Turkey, has a similar nature of the Czech attack. Attackers used a similar approach when sending emails that they sent to potential victims. We later discovered that the same approach was taken with regard to targeted attacks against users in Portugal and England.

In the course of our research, we came across an additional component that is used by Win32 / Spy.Hesperbot. This is the malicious code Win32 / Spy.Agent.OEC , which is responsible for collecting email addresses on the infected machine and for sending them to a remote server. It is possible that the collected email addresses were then used in malware distribution campaigns.

The configuration files used by the malware when intercepting HTTP traffic indicate to it which online banking sites should be intercepted. Various botnets specialize in intercepting certain sites. Below are the addresses of the websites of online banking systems that are tracked by malicious code.

Czech Republic
In the case of Turkish and Portuguese botnets, the configuration files include information about web objects, i.e., portions of HTML code that the malicious code will insert into web pages. No similar code was found in the Czech configuration file. This suggests that attackers could use the simple keylogger functionality for this purpose.

Using the ESET LiveGrid telemetry system, hundreds of cases of user compromise were recorded in Turkey, the Czech Republic, the UK and Portugal.