In the previous part of this article, we covered different banking malware families and the most common ways, how you might get infected by malware and what are the consequences.
Let’s look briefly into the techniques of how the attacker smuggles the malicious content on your computer. We’ve added the information to the end of every chapter on how to prevent each technique.
Desktop Malware Coming from Spam/Phishing e-mail
Excel File With Macros
Microsoft Office applications, specifically Word and Excel, feature powerful macro languages, and macro is still a popular method for malware delivery. These days macros are disabled in applications by default. Malware author must convince the user to enable the macros, so the malware gets executed. An infected file is usually delivered by an e-mail, and it can also be inside a ZIP file.
Prevention: Think twice before opening any files, verify any suspicious e-mail with the sender via a different channel than e-mail (e.g., on the phone).
EXE File Masquerading Itself With Different Extension In Its Name
The file extension is usually hidden to the user. Yet, the attacker tries to persuade the user that he is opening an Office file by adding the office extension in the file name. The name appears, for example, as Invoice.xlsx while “exe” stays hidden, but the entire file name is actually Invoice.xlsx.exe, and the malware gets executed when a user opens it.
Prevention: Check the file properties before opening, verify e-mail with the sender via different channels than e-mail; upload the file to online free malware scanners if unsure/impossible to verify.
Visiting pages where Flash with vulnerabilities is loaded, Flash opens Win PowerShell and executes code (file-less malware attack)
Attackers try to exploit potential software vulnerabilities to take control of the affected system. A malicious software is loaded by the user in Flash. The player enables the attacker to exploit these vulnerabilities.
Prevention: Always update Flash Player and other software to the most current version.
Malware Code Execution via Webinjection Technique
Webinjects are usually used for stealing sensitive data, such as a cookie/session (man-in-the-middle attack) or for transaction tampering.
Prevention: Install only trusted software from trusted sources and check reviews before installation.
Tricking users into clicking on the website element — which is disguised as another, using transparent or concealed layers is another way how you can get malware to your computer. The user simply clicks on a seemingly harmless popup, but malware is downloaded instead.
Prevention: Mostly done in website configuration. Users can install browser addon preventing clickjacking.
Other file-less malware
File-less malware is leveraging trusted processes such as PowerShell (Ramnit Trojan), Microsoft Office Macros (Ursnif) WMI. The malicious code present in already installed legitimate desktop applications (web browser) or mobile app (usually to spy on users)
Prevention: Difficult. Understanding the environment of your devices and operating system plays a significant role.
Mobile malware tricks
As said before, malware often misuses app permissions and tricks users into granting them. Examples of such permissions are:
Attackers use an overlay technique to render an extra layer on top of other apps. Overlays can intercept user input that is intended for the underlying app and capture sensitive data.
Prevention: Look closely at what apps have SYSTEM_ALERT_WINDOW permission enabled. This permission (if enabled) allows the malware to draw overlays. This attack can be combined with a clickjacking attack on apps. This attack, also known as a “UI redressing” is an interface-based attack in which the malware overlays a window on top of a legitimate application. It then asks the user to click in certain places in the overlay, while at the same time propagating the user’s actions to the application below the overlay. This way, the malware can trick the user into almost any activity, while the user remains unaware of what is actually going on below the overlay.
If malware requests access to SMS messaging, and user grants it, it might lead to leakage of OTP (one-time-password). Malware can forward this password to to the attacker using HTTP or directly by re-sending all received SMS. Prevention: Suspicious permissions are namely READ_SMS, RECEIVE_SMS, SEND_SMS.
It is a part of the Android operation system. It allows people with disabilities to use their phones without obstacles. Malware of the Anubis family (described in the Part 1 of this article) serves as a perfect example of the Accessibility Abuse attack. When the malware succeeds in receiving the accessibility service permission, it can grant itself any further permission it wants and gain access to OTP/2FA, as we described earlier on our blog.
Prevention: Watch out for BIND_ACCESSIBILITY_SERVICE.
Abusing Android’s Multitasking System
An example of abusing multitasking is StrandHogg vulnerability. The vulnerability makes it possible for a malicious app to ask for permission while pretending to be a legitimate application. For example, this means the malware can ask for permission to read SMS messages when the victim opens the legitimate SMS application.
Applications using this keylogging are usually combining phishing techniques with the extra ability to misuse permissions (overlay/SMS) rights to make a payment transaction on the user’s behalf.
Trojanization of App
Probably the rarest attack listed. These consist of legitimate apps that, after an update, serve as malware droppers – they install additional apps to the device, which can be malicious.
Without any doubt, we will increasingly hear more about mobile attacks. The mobile platform is becoming the primary banking tool for most. Attackers are logically targeting mobile apps exploiting new ways how to fool users. Nowadays, with the usage of sophisticated methods emerging every day, even trained and security-aware users might be tricked and eventually robbed.
ThreatMark’s solution is designed with Layered security in mind, as described by Gartner. ThreatMark’s AFS provides a holistic view across all channels, an only way which can reveal sophisticated types of online fraud.
Contact ThreatMark to find out more about our philosophy and let us describe why our customers report massive improvement in cyber-threat detection capabilities.