Security analysts from Trend Micro Lab discovered a banking Trojan last month that was specifically targeting South Korean banks. While this may not appear to be especially newsworthy at first glance, a recent discovery about this class of banking Trojans is of much greater concern. Rather than communicate with C&C servers using conventional encryption protocols to avoid detection, TPSY_Banker.YYSI (as it has been dubbed by Trend Micro) uses Pinterest to communicate with C&C servers.
It also uses the popular social platform to redirect victims to spoofed sites containing drive-by downloads and various phishing techniques. Like so many other banking Trojans, TPSY_Banker works by redirecting victims to spoofed websites designed to look like specific financial institutions within South Korea. Unfortunately, these sites are not legitimate and all personal information is sent directly to the hackers responsible for this malware campaign.
What makes this attacka different, however, is that this is the first time a Trojan has spread itself exclusively through Pinterest – a dangerous trend that could easily be repeated in the United States (where there are approximately 30 million active Pinterest users).
At the time of this writing, multiple banks in South Korea have been identified as targets including Hana Bank, the Industrial Bank of Korea, Woori Bank, Shinhan Bank, Nonghyup Bank and the Consumer Finance Service Center. As previously mentioned, TSPY_Banker leverages Pinterest for its C&C routines. This is accomplished by accessing comments on Pinterest (rather than contacting a C&C server directly).
These special comments include spoofed IP addresses which are decoded by the malware and used to redirect victims to various phishing pages. This tactic has never been used before and makes it much more difficult to detect the Trojan on an infected system because the Web traffic looks like a user viewing a Pinterest page to anti-malware software. For example, one comment verified as being part of this malware infrastructure simply reads: DG8FV-B9TKY-FRT9J-6CRCC-XPQ4G 104A149B245C120D In this example, the last portion of the comment (104A149B245C120D) is actually an IP address to a phishing server page. To decode this message, simply replace letters with a “.” The result is the IP address 18.104.22.168 – a phishing server known to be associated with TSPY_Banker. Researchers have also learned that the malware uses two well-known exploits targeting Internet Explorer to deliver the malware.
These exploits, CVE-2014-0322 and CVE-2013-2551, have been patched by Microsoft by continue to be used by hackers because so many systems do not have the software patches that protect against these exploits.
Although the exploit code used in this attack is heavily obfuscated, researchers believe it to be similar to Sweet Orange, an exploit kit recently discussed on this blog. Although TSPY_Banker is targeting financial institutions in South Korea at this time, the success of the campaign thus far indicates that hackers targeting U.S. banks could begin using a similar tactic in the near future. This is especially true as more people log onto Pinterest every day and this attack could represent an entirely new way for malware to communicate with C&C servers whilst avoiding detection from most antivirus solutions.