The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.
The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.
Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).
At Websense Security Labs™ we are used to seeing this kind of injection, based on malicious Java applets trying to exploit Java vulnerabilities, and we have blogged about them several times. In this case, however, investigating the malicious JAR file brought up some interesting details. The malicious code has been injected in the bottom of the page, as shown better here:
At this time the website hxxp://libertyresarve.info seems to be active, however in the latest days we seen that sometimes was turned off although was still possible retrieve the content through the Google cache. We can also be sure that it has been used for typosquatting activities against the real Libertyreserve (the virtual currency organization) website as shown below:
The message in red which has appeared on that Web page is a clear attempt to convince users to load the malicious Java applet in some way. Below is the real content of Libertyreserve.com:
At first glance, the JAR file seems to be written not to exploit Java vulnerabilities, but just to load a binary file hosted at "hxxp://www.libertyresarve.info":
Basically the Java code is just another Java loader which requires user interaction to successfully load the binary file "123.exe". One interesting point in the screenshot above is that we can also see in the MANIFEST-INF that the Java applet has been signed with a certificate. Trying to evaluate the certificate validity with the tool "jarsigner" (included in the Java SDK) shows that the certificate expired on 5 October 2011, but the applet was signed on 7 July 2011:
Due to the expiration of the certificate, it is possible to get the reasons why this JAR file has been considered as suspicious from the details of the usual Java warning message:
By clicking on the details offered by the Java plugin alert, it is possible, as shown, to retrieve the issues related to this untrusted Java applet. This is a mitigation for the success of the attack, but is also true that due to the kind of users on this website, maybe that they are inclined to accept this malicious JAR due to a potentially false sense of security and trustability. Another interesting viewpoint has been found in the associated binary file. The detection of this file still seems low, as reported here:
However, we tried submitting the executable file "123.exe" to Websense ThreatScope™ with the following result:
From the full analysis reported here, it has been detected that the C&C called by the malware is "hxxp://firestormm6t.no-ip.info" and seems to be associated with the IP address 188.8.131.52:
The file "123.exe" seems to be a ".NET" file probably written using C#. From deep analysis of the network traffic, it is possible to retrieve the exchanged packets between an infected system and the C2 (reported above) . It is easy to see that at least for the network activity detected, all the information is encoded using a plain BASE64 encoding. For example, the following screenshot reports the first request from the infected system to the C&C:
The screenshot above shows the exchange of data between the infected system (in blue) and the C&C (in red). In this case, decoding one of the BASE64 strings enables us to understand that all the BASE64 strings above are the strings reported in the open windows on the desktop of the infected systems. So for example:
Once decoded it became:
That is the caption of the Wireshark windows we used to get the traffic. We also detected other functions, such as the screenshots of the desktop taken by the malware. Below, it is possible to recognize the JPEG marker ("JFIF") and the keyword "CAP" which is without doubt the short form for "CAPTURE:"
The binary file, as mentioned above, seems to be written using the .NET Framework using Visual Basic .NET . By opening the the .NET disassembler "ILSpy" (an open source .NET disassembler powerful and robust enough to obtain not only the .net opcode but also the high-level language behind the .NET applications), it has been possible to detect the main functions with the list of the commands used to exchange information and data between the C&C and the impacted systems. For example, the function "Init" is the first function called to collect the basic information from the systems on which the executable file is run:
The char "l" and the char "v" are the command init sent by the malware at the first execution, as discovered by the captured network traffic. It is also possible to detect other commands such as the check of the Service Pack (command "SP"):
Or for example the function which is able to detect the keys pressed by the user after pressing Enter (command "[ENTER]"):
There are also other features such as the detection of the CPU architecture (32 or 64 bit), functions to locate files by dates, and more. At first glance this malware seems very well written, and it uses an interesting obfuscation mechanism to retrieve and store the data required.