October 8, 2018 | By Comodo
- loading - Turkish Banks Suffer Massive Phishing AttacksLoading…

The immense wave of phishing attacks hit the users of major in Turkey. Poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover attached, the phishing waves spread from many countries around the world but were stopped by Comodo resources.

The emails: deception is knocking into your inbox

The phishing emails imitated various messages from major Turkish banks — Türkiye İş Bankası, Garanti Bankasi, T.Halk Bankasi, Yapi ve Kredi Bankasi, T.C. Ziraat Bankasi.

01 emails were disguised as messages from Turkiye ls Bankasi bank, the first and the largest bank in Turkey. The message you can see in the screen below in Turkish “5406 ** ** 9306 dated September 10, 2018, is attached to the details of your Credit Card statement”.

phishing attacks  - email1 - Turkish Banks Suffer Massive Phishing Attacks

Another 424 emails imitated Garanti Bankasi messages…

email phishing  - email 2 - Turkish Banks Suffer Massive Phishing Attacks

… and 865 pretended to be an email from T. Halk Bankasi A.S.

Phishing mail   - email3 - Turkish Banks Suffer Massive Phishing Attacks

…619 emails mimicked Yapi ve Kredi Bankasi

phishing attacks  - email4 - Turkish Banks Suffer Massive Phishing Attacks

… and another 279 wearied the mask of T.C. Ziraat Bankasi.

Phishing Mails  - email5 - Turkish Banks Suffer Massive Phishing Attacks

All emails contain a “debt” message or “credit card statement” to lure users in opening the attached files. Of course, the files contained malware. But of what kind?

The malware: opening door for the enemy
Actually, all emails carried two types of malware files: .EXE and .JAR. Below is the analysis of the .JAR file conducted by the Comodo Research Labs analysts.

malware file  - email6 - Turkish Banks Suffer Massive Phishing Attacks

Let’s see how this sneaky malware can harm users if they run it.
Firstly, it tries to detect and quit security applications running at the target machine. It calls taskkill multiple times, with a long list of executables from various vendors. Then it drops a .reg file and imports it to the registry.

malware exe file  - email7 - Turkish Banks Suffer Massive Phishing Attacks

Thus it changes the attachment manager settings to allow running executable files received from the Internet without any warnings, disables task manager and alters IEFO registry keys of security applications.

Malware text file  - email8 - Turkish Banks Suffer Massive Phishing Attacks

Further, it creates an installation ID and puts it in a text file in a randomly generated path. The attackers will use this ID to identify the infected machine.

VBS files   - email9 - Turkish Banks Suffer Massive Phishing Attacks

After that, it drops and runs two VBS files to detect the antivirus and installed on the system.

startup key  - email11 - Turkish Banks Suffer Massive Phishing Attacks

Then it adds a startup key to run upon each restart. The autorun value is added for a current user only so that no alarming UAC prompt will appear. And then it’s launched from the new location

JAR file  - email12 - Turkish Banks Suffer Massive Phishing Attacks

Executed from the new location or upon system’s restart, it drops another .JAR file “_0.<random_number>.class” to Temporary folder and run it.

WMIADAP application  - email13 - Turkish Banks Suffer Massive Phishing Attacks

Significantly, the .JAR is launched via WMIADAP application. As it’s a component, some security might allow its execution without any restriction. One more trick to bypass protection.

Now is the moment of the truth: we can see the real face of the malware attacking the banks’ client. It’s a Java-written backdoor known as TrojWare.Java.JRat.E. Its purpose is to provide unauthorized remote access to the infected machines.

JAR package  - email14 - Turkish Banks Suffer Massive Phishing Attacks

As you see on the screen, the JAR package contains an encrypted file – “mega.download”. Decrypted, it reveals the malware properties:

ywe data  - email 15 - Turkish Banks Suffer Massive Phishing Attacks

What is left to do is finding out what’s hiding behind the “ywe.u” resource.

CONFIG file  - email 16 - Turkish Banks Suffer Massive Phishing Attacks

Further on, we can extract and decrypt the malware .CONFIG file to discover its configuration options.

malware data  - email 17 - Turkish Banks Suffer Massive Phishing Attacks

And here you go! We see now that the malware connects to the attackers’ server 185.148.241.60 to report about successful infecting the new and then waits for instructions from the perpetrators.

conversation filter  - email 18 - Turkish Banks Suffer Massive Phishing Attacks

You must be wondering how exactly the malware harms the user. As any backdoor, the malware enables covert access to the compromised machine and thus hand over it under total control of the cybercriminals. They can steal information, add another malware or use the infected machine to spread malware and attack other users all over the world.

“It’s definitely more complicated attacks that it seems to be from the first sight”, says Fatih Orhan, The Head of The Comodo Threat Research Labs. “It’s not a regular phishing to steal banking credentials but an effort to implant a malware that gives the attackers total control of the infected machines for a long time while victims might remain unaware of the fact their computers are in the perpetrators’ hands.

Meantime the perpetrators can covertly utilize the compromised machines in different ways for their multiple criminal purposes and profit. For example, initially they can steal credentials for a victim’s accounts. Then they can use an infected machine as a part of a botnet to spread malware or conduct DDoS attacks on other users. Besides that, they can constantly spy the victims’ activity.

Also, the scope of the attacks is impressive. It looks like the attackers tried to create a network of thousands controlled computers for conducting multiple attacks around the world. I hate to think how many users would have been victimized if Comodo hadn’t stopped those attacks”.
Live secure with Comodo!

The heatmaps and IPs used in the attacks

Türkiye İş Bankası

The attack was conducted from Turkey, Cyprus and the USA IPs. It started on September 10, 2018 at 05:01:49 UTC and ended on September 10, 2018 at 07:10:10 UTC.

Türkiye İş Bankası   - email 19 - Turkish Banks Suffer Massive Phishing Attacks

The IPs used in the attack

CY 93.89.232.206 161
TR 79.123.150.10 2
TR 85.159.70.243 1
US 64.50.180.173
67.210.102.208
1
336

Garanti Bankasi

The attack was conducted from Cyprus and the United Kingdom IPs. It started on September 24, 2018 at 09:38: UTC and ended on September 26, 2018 at 11:01:10 UTC.

Garanti Bankasi   - email 20 - Turkish Banks Suffer Massive Phishing Attacks

The IPs used in the attack

CY 93.89.232.206 184
GB 163.172.197.245 240

T.Halk Bankasi

The attack was conducted from Cyprus, United Kingdom, Turkey, the United States, and India. It started on September 24, 2018 at 10:28:06 UTC and ended on September 27, 2018 at 14:54:55 UTC.T.Halk Bankasi   - email 21 - Turkish Banks Suffer Massive Phishing Attacks

Top 5 of the IPs used in the attack

US 67.210.102.208 629
CY 93.89.232.206 152
TR 185.15.42.74 36
US 172.41.40.254 24
TR 95.173.186.196 17

Cyprus  - email 22 - Turkish Banks Suffer Massive Phishing Attacks

T.C. Ziraat Bankasi

The attack was conducted from Turkey and Cyprus IPs. It started on September 05, 2018 at 12:55:50 UTC and ended on September 24, 2018 at 09:32:18 UTC.

T.C. Ziraat Bankasi  - email 23 - Turkish Banks Suffer Massive Phishing Attacks

The IPs used in the attack

CY 93.89.232.206 105
TR 31.169.73.61 279

Yapi ve Kredi Bank
The attack was conducted from Turkey, South Africa, and Germany IPs. It started on September 25, 2018 at 09:54:48 UTC and ended on September 26, 2018 at 15:10:49 UTC.

- email 24 - Turkish Banks Suffer Massive Phishing Attacks

Top 5 IPs used in the attack

TR 31.169.73.61 374
TR 193.192.122.98 129
TR 194.27.74.55 26
TR 193.140.143.15 20
TR 193.255.51.105 10

Be Sociable, Share!

  • - more - Turkish Banks Suffer Massive Phishing Attacks






Source link
Based Blockchain Network

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here