Massive Phishing Attacks Hit Turkish Banks Users. But … is it Just Phishing?

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

The unprecedentedly immense wave of phishing attacks hit the users of major banks in Turkey. Tens of thousands of poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover malware attached, the phishing waves spread from many countries around the world but were stopped by Comodo resources.

The emails: deception is knocking into your inbox

The phishing emails imitated various messages from major Turkish banks — Türkiye İş Bankası, Garanti Bankasi, T.Halk Bankasi, Yapi ve Kredi Bankasi, T.C. Ziraat Bankasi.
The largest numbers of emails, 22567, were disguised as messages from Turkiye ls Bankasi bank, the first and the largest bank in Turkey. The message you can see in the screen below in Turkish means “5406 ** ** 9306 dated September 10, 2018, is attached to the details of your Credit Card statement”.

phishing attacks

Another 424 emails imitated Garanti Bankasi messages…

email phishing

… and 865 pretended to be an email from T. Halk Bankasi A.S.

Phishing mail

…619 emails mimicked Yapi ve Kredi Bankasi

phishing attacks

… and another 279 wearied the mask of T.C. Ziraat Bankasi.

Phishing Mails

All emails contain a “debt” message or “credit card statement” to lure users in opening the attached files. Of course, the files contained malware. But of what kind?

The malware: opening door for the enemy
Actually, all emails carried two types of malware files: .EXE and .JAR. Below is the analysis of the .JAR file conducted by the Comodo Threat Research Labs analysts.

malware file

Let’s see how this sneaky malware can harm users if they run it.
Firstly, it tries to detect and quit security applications running at the target machine. It calls taskkill multiple times, with a long list of executables from various vendors. Then it drops a .reg file and imports it to the registry.

malware exe file

Thus it changes the attachment manager settings to allow running executable files received from the Internet without any warnings, disables task manager and alters IEFO registry keys of security applications.

Malware text file

Further, it creates an installation ID and puts it in a text file in a randomly generated path. The attackers will use this ID to identify the infected machine.

VBS files

After that, it drops and runs two VBS files to detect the antivirus and firewall installed on the system.

startup key

Then it adds a startup key to run upon each restart. The autorun value is added for a current user only so that no alarming UAC prompt will appear. And then it’s launched from the new location

JAR file

Executed from the new location or upon system’s restart, it drops another .JAR file “_0.<random_number>.class” to Temporary folder and run it.

WMIADAP application

Significantly, the .JAR is launched via WMIADAP application. As it’s a Windows component, some security software might allow its execution without any restriction. One more trick to bypass protection.

Now is the moment of the truth: we can see the real face of the malware attacking the banks’ client. It’s a Java-written backdoor known as TrojWare.Java.JRat.E. Its purpose is to provide unauthorized remote access to the infected machines.

JAR package

As you see on the screen, the JAR package contains an encrypted file – “mega.download”. Decrypted, it reveals the malware properties:

ywe data

What is left to do is finding out what’s hiding behind the “ywe.u” resource.

CONFIG file

Further on, we can extract and decrypt the malware .CONFIG file to discover its configuration options.

malware data

And here you go! We see now that the malware connects to the attackers’ server 185.148.241.60 to report about successful infecting the new victim and then waits for instructions from the perpetrators.

conversation filter

You must be wondering how exactly the malware harms the user. As any backdoor, the malware enables covert access to the compromised machine and thus hand over it under total control of the cybercriminals. They can steal information, add another malware or use the infected machine to spread malware and attack other users all over the world.

“It’s definitely more complicated attacks that it seems to be from the first sight”, says Fatih Orhan, The Head of The Comodo Threat Research Labs. “It’s not a regular phishing to steal banking credentials but an effort to implant a malware that gives the attackers total control of the infected machines for a long time while victims might remain unaware of the fact their computers are in the perpetrators’ hands.

Meantime the perpetrators can covertly utilize the compromised machines in different ways for their multiple criminal purposes and profit. For example, initially they can steal credentials for a victim’s accounts. Then they can use an infected machine as a part of a botnet to spread malware or conduct DDoS attacks on other users. Besides that, they can constantly spy the victims’ activity.

Also, the scope of the attacks is impressive. It looks like the attackers tried to create a network of thousands controlled computers for conducting multiple attacks around the world. I hate to think how many users would have been victimized if Comodo hadn’t stopped those attacks”.
Live secure with Comodo!

The heatmaps and IPs used in the attacks

Türkiye İş Bankası

The attack was conducted from Turkey, Cyprus, Spain, Malaysia, the Netherlands and the USA IPs. It started on September 10, 2018 at 05:01:49 UTC and ended on September 10, 2018 at 07:10:10 UTC.

Türkiye İş Bankası

Top 5 of the IPs attack

TR 213.161.149.46 2260
TR 213.161.149.47 8957
TR 213.161.149.48 9256
TR 213.161.149.56 1043
US 67.210.102.208 336

Garanti Bankasi

The attack was conducted from Cyprus and the United Kingdom IPs. It started on September 24, 2018 at 09:38:29 UTC and ended on September 26, 2018 at 11:01:10 UTC.

Garanti Bankasi

Top 5 IPs used the attack

CY 93.89.232.206 184
GB 163.172.197.245 240

T.Halk Bankasi

The attack was conducted from Cyprus, United Kingdom, Turkey, the United States, and India. It started on September 24, 2018 at 10:28:06 UTC and ended on September 27, 2018 at 14:54:55 UTC.T.Halk Bankasi

Top 5 of the IPs used in the attack

US 67.210.102.208 629
CY 93.89.232.206 152
TR 185.15.42.74 36
US 172.41.40.254 24
TR 95.173.186.196 17

Cyprus

T.C. Ziraat Bankasi

The attack was conducted from Turkey and Cyprus IPs. It started on September 05, 2018 at 12:55:50 UTC and ended on September 24, 2018 at 09:32:18 UTC.

T.C. Ziraat Bankasi

The IPs used in the attack

CY 93.89.232.206 105
TR 31.169.73.61 279

Yapi ve Kredi Bank
The attack was conducted from Turkey, South Africa, and Germany IPs. It started on September 25, 2018 at 09:54:48 UTC and ended on September 26, 2018 at 15:10:49 UTC.

Top 5 IPs used in the attack

TR 31.169.73.61 374
TR 193.192.122.98 129
TR 194.27.74.55 26
TR 193.140.143.15 20
TR 193.255.51.105 10

The post Massive Phishing Attacks Hit Turkish Banks Users. But … is it Just Phishing? appeared first on Comodo News and Internet Security Information.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1 Followers
About Comodo
Comodo Cybersecurity is a global innovator of cybersecurity solutions, and a division of Comodo Security Solutions Inc. For over 20 years, Comodo Cybersecurity has been at the forefront of successfully protecting the most sensitive data; and today, we deliver an innovative cybersecurity platform that renders threats useless across the LAN, Web & Cloud. Comodo Cybersecurity’s ongoing mission is to protect what matters most, while enabling businesses and customers to confidently accept risk in a world where preventing all attacks is impossible.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel