Home / malwarePDF  

TrojanSpy:Win32/BBSwift.A


First posted on 02 June 2016.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/BBSwift.A.

Explanation :

Installation

It can be deployed by a remote attacker to a compromised system with the name evtsys.exe.

The executable has an installed Alliance software that handles SWIFT communication or transactions.

This threat registers itself as a service in the system and finds the liboradb.dll module in any of the running processes to patch it in memory.

This DLL file is associated with the SWIFT Alliance software that is used for handling Alliance database functionalities such as start up, backup, and restore.



When the malware patches the file in memory, it's capable of doing database modifications by bypassing a check to verify the validity of any authorization done during transactions.

It drops a file named %LOCALAPPDATA%\Allians\gpca.dat which is an encrypted configuration file that was reported to have a list of transaction IDs, and C2 server information (196.202.xxx.174).

It also logs all activities and list of information it has harvested in another file %LOCALAPPDATA%\Allians\recas.dat.



Payload

Monitors SWIFT messages

It monitors SWIFT messages by looking for *.prc/*.fal directories %LOCALAPPDATA%\Allians\mcm\in and %LOCALAPPDATA%\Allians\mcm\out to look for keywords below that will be used to find valid SWIFT unique message IDs that references transaction details:

20: Transaction
FIN 900 Confirmation of Debit
Sender:

These unique transaction message IDs can be deleted later in the database to possibly remove traces of suspicious activities done by the remote attacker.

Runs SQL queries

This threat can run SQL queries from journal files related to logins and sends information back to its remote C2 server to steal login credentials.

These can be used to check how much convertible currency is available from an account and can be changed at any given time by the malicious hacker to conceal past activities.

Monitor directories

This threat can monitor the following directories:

  • %LOCALAPPDATA% \Allians\mcp\in
  • %LOCALAPPDATA% \Allians\mcp\out
  • %LOCALAPPDATA%\Allians\mcp\unk
  • %LOCALAPPDATA% \Allians\mcs\nfzp
  • %LOCALAPPDATA% \Allians\mcs\nfzf
  • %LOCALAPPDATA%\Allians\mcs\fofp
  • %LOCALAPPDATA% \Allians\mcs\foff


It monitors these directories to look for the following substrings which are bank transaction related strings pertaining to balances in the journals:
  • 64:00:00
  • : Debit
  • 19A: Amount
  • 20: Transaction
  • 60F:
  • 60M:
  • 62F:
  • 62M:
  • 90B: Price
  • ALI
  • Amount:
  • C
  • Credit
  • D
  • Debit
  • Debit/Credit:
  • FEDERAL RESERVE BANK
  • REFID:
  • RP Purchase
  • Sender:


Manipulate information sent to the printer

This threat can also manipulate the data that is sent to the printer to hide its malicious activities by looking for SWIFT messages in *.prt files which is a file format used in Printer Command Language (PCL).

These are processed by nroff.exe used by the SWIFT software which is being hijacked by Win32/BBSwift.

It will also log printer activity such as pages printed, success or failure to control printer, username for print job, job ID, priority, and pages printed.

When the malware finds these *.prt files, it will be overwritten with NULL and not processed for scheduled printing.



Analysis by: Marianne Mallen

Last update 02 June 2016

 

TOP