Threat Intelligence

Operation Emmental: Banking Hit by Even More Sophisticated Cyber Attacks

Pierluigi Paganini
August 16, 2014 by
Pierluigi Paganini

Operation Emmental

Security experts at Trend Micro have recently uncovered a hacking campaign dubbed "Operation Emmental" which targeted Swiss bank accounts with a multi-faceted attack.

Bad actors were able to bypass the two-factor authentication mechanism used by the bank to secure its customers' accounts. The researchers at TrendMicro coded the campaign as "Operation Emmental" due the presence of numerous holes in banking security implemented by financial institutions, exactly like the popular Swiss Emmental cheese. The attackers used a malware to bypass security mechanisms implemented by the bank. The malicious code was designed to intercept SMS tokens used to authorize banking transactions. Bad actors behind the Operation Emmental also used the malware to change the domain name system (DNS) settings to hijack victims of rogue bank websites, which are a replica of legitimate ones and were used for phishing attacks.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

The cyber criminals have been trying to violate the bank customers' accounts in different countries, including in Switzerland, Austria, Japan and Sweden. Investigators suspect that Russian-speaking individuals are responsible for the Operation Emmental due to clues discovered in the source code analyzed by the malware researchers.

"The attackers in this case who are most likely to be based in a Russian-speaking country set up a system that could defeat the session token protectionA log message in the app, 'Obnilim rid', is Russian slang that translates to 'set to zero' … A Russian speaker based in Romania could be responsible for the whole operation," states the official report issued by TrendMicro.

In the first stage of the Emmental attack, the criminals send a fake email pretending to be sent by a legitimate and well-known entity. The attackers distributed the malware with an apparently harmful Control Panel (.cpl) attachment. The file attached to the mail is used to inoculate the malicious code through a bogus Windows update tool.

Figure - Operation Emmental - Malicious attachment

Once the victim's machine is infected, the malware redirects the bank customer to domains controlled by the attackers. This is possible by modifying the device's Domain Name System (DNS) settings. As a consequence, every time the customers try to access bank websites, they are redirected to a phishing page. Operation Emmental targeted users worldwide – researchers at TrendMicro have discovered that at least 34 financial institutions were victims of the hacking campaign, six of which are in Austria, five in Japan, 16 in Switzerland, and seven in Sweden.

The attackers implemented another trick to improve the efficiency of their operation and remain under the radar: the malware, once it has infected the host machine, installs a new root Secure Sockets Layer (SSL) certificate. The presence of this digital certificate prevents the Web browser from warning victims when they land on phishing websites used by bad actors.

As anticipated, the cyber criminal gang which manages Operation Emmental used phishing attacks to gather bank customers' personal information and other sensitive data, including username, bank account number, PIN, and any other information for the authentication process. The attackers, to bypass the two-factor authentication process implemented by banks, instruct victims to install a malicious Android application, which appears to be designed by the targeted banks. The app provides users with an authentication code, which must be entered on the fake website to complete the authentication process, but in reality, it is just a trick to get users to install the malicious app on their mobile devices.

Figure - Malicious mobile app used by bad actors behind Operation Emmental

The malicious app is used by attackers to intercept the session tokens sent by banks via SMS and forward them to the command and control (C&C) server. The criminals use the session tokens with all the other data they gathered with the phishing campaign to bypass the authentication process.

"In reality, the app waits for an SMS from the bank, which provides a legitimate session token. When received, the app silently hijacks the communication and forwards the stolen information to the attackers' C&C server. This would allow them to conduct banking transactions in the guise of bank customers. In case of absence of Internet connectivity, the app can also forward stolen session tokens via SMS. It also has the capability to transfer personally identifiable information (PII) such as phone number, phone model, Global System for Mobile Communications (GSM) operator, country/region, and other data from victims' phones to the C&C server. The malicious app also registers its own SMS listener service and has its own SQLite database to store messages and settings. It also has the ability to receive remote commands. The SMS listener service executes every time an infected Android mobile phone is booted," states the report issued by Trend on the Operation Emmental.

Experts at Trend Micro also highlighted that the malware used in Operation Emmental deletes itself from the machine once it completes its task. This feature has been implemented to remain hidden to the security firms, making successive investigations more difficult.

Operation Emmental is considered to be one of the most sophisticated operations, as it targeted online banking protection systems implemented by financial institutions in several countries.

The attackers have demonstrated high technical capabilities and a deep knowledge of different technologies, including malware design, mobile app development, and Public Key Infrastructure (PKI).

"Operation Emmental is an attack that has very likely evolved over time."

This consideration has to trigger an alert in the financial sector. In order to counter the emerging cyber threats, it is necessary to take a layered approach to cyber security and a multinational effort of law enforcement agencies and private companies.

I consider Operation Emmental one of the most complex hacking campaigns, which to have hit the financial industry. The bad actors behind it have adopted principal evasion techniques to make difficult the detection of the malicious agents used to by-pass the banking protection systems. As explained by experts at TrendMicro, the attackers have implemented a sophisticated infrastructure to conduct the attack. Let's remember that they designed a non-persistent Windows malware binary, a rogue DNS resolver server, and a malicious Android Application which reproduced a layout of targeted banks, a phishing server hosting different bogus bank websites, and of course a Command and Control infrastructure.

I'm afraid that this is just the tip of the iceberg. Bad actors, once discovered by security firms, will improve their tactics to remain hidden. Probably in the future, the attackers will adopt different methodologies to infect banking customers, for example, using watering hole attacks that can hit websites with a great appeal for customers of the financial industry.

Despite that attribution is not easy in cases like this, many clues collected by the researchers suggest that bad actors behind the Operation Emmental are Russian speakers. The experts at TrendMicro were also able to see connection logs from underground sources from the owners of the malware used in the campaign.

"It turns out that most of them were from Romania. This made us think that one of the associates in this cybercriminal enterprise is based in that country. A Russian speaker based in Romania could be responsible for the whole operation. Or the brains behind the operation could be based in Russia and the Romanian connection only plays a small part in the attack," states the report.

Not only man-in-the-middle attacks; mobile malware is threatening banking

A man-in-the-middle attack (MITM) is type of attack which allows a bad actor to eavesdrop data into a communication between two parties by impersonating both parties. The attackers are able to access information that the two parties were exchanging with each other and inject new information.

Different cryptographic protocols implement endpoint authentication to prevent such type of attacks. Let's think, for example, to the SSL which makes use of PKI principles to authenticate one or both parties with a digital certificate signed by a mutually trusted certification authority. It is clear that within the industries most targeted by such type of attacks, there is the financial one.

In this specific case, the attackers did not use a man-in-the-middle attack. Instead, the activity detected by experts at Trend Micro was based on a first stage of a phishing campaign.

Cyber criminals are adopting increasingly sophisticated phishing attacks, as confirmed by the latest edition of the APWG Global Phishing Survey report. Phishers are concentrating their efforts to break into hosting providers with unprecedented success and abuse of their resources to conduct large-scale phishing campaigns.

Figure - Man-in-the-middle attack

The cyber gang behind Operation Emmental used a malware to install illegitimate certificates to trust a phishing website used in the attack scenario. With this trick, the attacker avoids security warnings from client side applications like common browsers. Malicious code used for the specific purpose are usually designed to operate as a local proxy for SSL/TLS traffic, and the installed illegitimate digital certificates could allow attackers to eavesdrop on traffic without triggering any warning, but according to the experts at TrendMicro, the malicious code used in the Emmental hacking campaign doesn't have this capability.

The installation of a fake root CA certificate on the compromised system allows attackers to arrange a phishing campaign. The bad actor just needs to set up a fake domain that uses SSL/TLS and passes certificate validation steps.

According to principal security expertsm cybercrime is increasing its interest in the exploitation of mobile malware to deceive banking customers and bypass protection mechanisms like two-factor authentication processes.

A mobile malware could be easily spread, and usually mobile users don't install any defensive solution on their device, advantaging the task of attackers. Principal banking malware like Zeus and SpyEye have been designed also to hit mobile devices. The infection process could be very effective if bad actors are able to deploy these malware on an official market. One of the most clamorous cases occurred in November 2012, when attackers deployed the malware Carberp on Google Play Store.

Bad actors deployed the malware on the official store in November (01/11/12) and first infections were observed in early December (03/12/12). Unfortunately, the banking Trojan was detected for the first time on December 11th (11/12/12) and removed from Google Play Store ten days later (13/12/12).

As explained in my previous post, the attack chain is composed of the following steps:

  • The victim's PC is infected with a desktop version of the malware.
  • When the victim visits the banking website for the first time on their PC, the malware opens a new window via web injection.
  • The injected code creates a message that requests the installation of an application on the user's mobile to continue the login process.
  • Users can get links to that application via scanning QR code or via SMS.
  • The victims get the malicious app from Google Play Store and install it.
  • Once installed on a mobile device, the app sends information about the device to a C&C.

Carberp allows the attacker to steal incoming messages containing one time passwords sent by banks to the customers to authorize the operations. All received messages are stored in a special text log file that's transferred to a C&C server.

Another interesting case is represented by the iBanking Trojan app distributed through HTML injection attacks on banking sites. iBanking deceives victims by impersonating as a 'Security App' for Android. Early in 2014, the source code of the iBanking mobile malware was leaked online through an underground forum. This circumstance has made possible the diffusion of many customized variants of the malware.

p style="text-align: center;">

Figura - iBanking

The iBanking mobile banking Trojan is available for sale in the underground market for $5,000 according the RSA's FraudAction Group. Also in this case, the malware is used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.

iBanking could be commanded via SMS or over HTTP beaconing the C&C server at every pre-defined interval, then pull and execute the command if one is awaiting it. The malware is able to perform the following operations:

  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call list capturing
  • Audio capturing via device's microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)

The last variant of iBanking detected by experts at ESET security firm exploits Facebook as vector of infection.

According to a report issued by ESET security researchers, the new version of iBanking, aka Android/Spy.Agent.AF, is targeting Facebook users by tricking them into downloading a malware application.

The new variant iBanking Trojan implements a web injection mechanism that was totally new for security experts. It uses JavaScript to inject content into Facebook web pages, in particular to create a fake Facebook Verification page for Facebook users. Once the victim logs into his Facebook account, iBanking tries to inject the following content into the webpage:

Figure - Fake Facebook verification page

The verification page was designed to request mobile numbers of victims in order to verify the Facebook account authenticity. In case the SMS fails to reach the user's mobile, one of the successive pages was designed to request the victim to download an Android app from a URL displaying or reading a QR code on the screen.

Once iBanking is downloaded, the bot start its activities. It connects to the C&C server to receive commands.

iBanking, or any other similar malware, represents a privileged choice for cyber criminals due to its ability to bypass two-factor authentication. The criminal underground is increasing its offer to be especially oriented to mobile solutions. iBanking is considered a sophisticated solution, according to experts at ESET, who compared it to other banking Trojans like Perkele.

Another alarming hypothesis is that this Facebook iBanking app might be distributed by other banking malware in the next months. Cybercriminals could start to adopt mobile components to attack other popular web services that enforce strong authentication.

The "commoditization" of malicious code and the code source leaks will sustain an offer that will increase in complexity and efficiency.

Man-in-the-Browser … not yet discovered

While cyber criminals are improving the efficiency of their malware, the banking industry is improving authentication processes to protect customers' accounts from unauthorized access. Recently, almost every financial institution has implemented multi-factor authentication such as OTPs (e.g. One-time password device/service such SMS or email) or a hardware token, but on the other side, cyber criminals are designing a growing number of malicious codes that implement a man-in-the-browser attack technique to overtake defense systems.

In the man-in-the-browser attack scenario, the attackers infect the victim's client component such as the browser to intercept the user's traffic, even if over a secure channel, and inject code in the browser to modify the user's experience on the Web.

The man-in-the-browser attack relies on the presence of the victim machine of a proxy malware that infects the user's browser, exploiting its vulnerabilities. The malware is able to access the user's data before it has been encrypted and modify the content of financial transactions in a stealthy mode.

The malware is able to bypass multi-factor authentication. Once the bank website authenticates that the user that has provided his credentials, the Trojan horse remains hidden, waiting for the victim's transactions. Thanks to injection mechanisms, the malware is able to modify the content returned by the browser during an operation on online banking, providing evidence of the success of the user's transaction, even if it has been modified.

Man-in-the-browser attacks appear in different forms like BHO (Browser Helper Object)/Active-X Controls, Browser Extension/Add-on/Plugin and API – Hooking.

Figure - Man-in-the-browser attack

The most popular banking Trojans such as Zeus, Carberp, Sinowal, Ramnit and Clampi have inbuilt MITB capabilities. According to security experts, the most efficient countermeasures against MITB are the out of band transaction verifications containing transaction details along with OTP, and on the bank's end, the adoption of fraud detection based on user behavior profiling.

In the following table are listed principal countermeasures adopted against a man-in-the-browser attack and their real effectiveness.

Conclusion: lesson learned from Operation Emmental

When analyzing the Emmental attack, we must consider the attack on both sides, from the bank's perspective and from the customer's perspective. The malware spread by attackers in the Emmental Campaign demonstrated a weakness in single-session token protection strategies still adopted by many banks and financial organizations. Customers of organizations adopting such methodologies are vulnerable to attacks based on bogus mobile apps. Fortunately, the security industry provides more advanced defensive solutions to avoid such incidents. Let's think for example to the use of multiple transaction authentication numbers (TANs) and card readers. The real problem is that such countermeasures represent a further cost for the organizations and increase in many cases the maintenance of the installed solutions. Due to the large diffusion of mobile devices, financial institutions are offering an increasing number of services through their mobile platforms, including authentication services, and it is natural that the cybercrime ecosystem will offer different solutions to arrange new sophisticated frauds.

If we consider the problem on the customer's side, we must be conscious that it is not a bank's responsibility to protect clients in phishing scenarios, especially when users install untrusted apps or visit compromised websites on their mobile devices. Banks have to inform their clients of the risks related to principal cyber threats, but in the majority of cases, customers' habits enlarge their surface of attack. Bad habits, like the installation of mobile apps from third parties app stores, are within the principal cause of success for cyber attacks.

Probably bad actors behind the Emmental campaign will simply adapt their tactics to remain undetected after security firms have discovered their operations. When the banking industry is alerted that groups of criminals are exploiting new methods to hit banking customers, it is necessary that banking customers, law enforcement agencies worldwide, and private companies will work together to prevent new waves of financially motivated cyber attacks.




Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.