Researchers at IBM Trusteer recently discovered a new banking Trojan which has been dubbed Tsukuba. This relatively simple, but effective example of financial malware is a part of the ‘proxy changers’ family that uses social engineering techniques to harvest victims’ online banking credentials and other personal information. In a recent blog post about Tsukuba, researchers explain that the malware operates using a three part process.
First, Tsukuba is packed in a payload program (also known as a packer) that resists debugging and analysis by common antivirus tools. This payload is then distributed via regular spam campaigns. When a victim opens a spam email containing Tsukuba, the packer uses a suspended state flag to employ the CreateProcess API. This makes it difficult for Windows to detect the malicious installation. This process also makes it nearly impossible for security researchers to attach a debugging program to Tsukuba while it’s running.
This malware variant also disguises itself while communicating with C&C servers and while downloading additional files and components as needed. It accomplishes this by hijacking a legitimate Windows process (powershell.exe). By using this process, Tsukuba further avoids detection by common anti-malware tools.
During the installation process, the malware also scans the target machine’s browser cookies in search of specific URLs that are relevant to the hackers behind the attack. Only if the infected PC contains URLs actively being targeted by the cybercriminals behind the campaign will installation of Tsukuba continue. This tactic also keeps the malware “under the radar” because it doesn’t complete the installation when it isn’t necessary. This low profile makes it more difficult to detect. Finally, the malware registers a fake root certificate so it can browse malicious pages using its own rogue proxy server. This is why Tsukuba is considered part of the proxy changing family of malware.
What makes this malware variant so dangerous is that once the rogue proxy has been initiated, the hackers can control what IPs are allowed through the Trojan’s custom social engineering zones. In this case, only Japanese IPs are allowed through and because these users aren’t accustomed to seeing Trojan attacks in their region (compared to English-speaking countries), they are more vulnerable to falling victim to social engineering and phishing campaigns designed to steal their personal and financial data. That said, the fact that the attacks can be targeted by IP address after filtering out victims based on browsing habits during the installation process means that a similar technique could be nearly as effective in other countries including the United States.
What Tsukuba proves is that by carefully combining a bunch of techniques that are considered antiquated within the PC security field in the “right” way, a powerful malware variant can be created that is capable of circumventing most anti-malware security measures and could be responsible for millions of dollars in potential losses.
The best way to protect yourself from Tsukuba is to keep your PC updated at all times and to avoid opening any unsolicited emails that could be packed with a Tsukuba payload. Also, refrain from providing any personal or financial data via a Web browser as this could be part of a social engineering scam designed to hijack your personal data. Remember that your bank or other financial institution will never ask for passwords, account numbers, or similar information as the legitimate financial institution already has this information on file.