Behind MultiBanker, what the security industry doesn’t tell you and its money mule network

MultiBanker (also called Patcher, BankPatch/BankPatcher) is a nasty banking Trojan around since early 2007. It is a very targeted banking Trojan as it is only developed and used by one single group and they only target specific countries (mainly Austria and Germany) and specific banks. As they only have a couple of thousands infected machines, their botnet does not raise big alarms and does not make it to the news. This goes that far that the MultiBanker C&C only responds to IP addresses from Europe, which in turn makes it automatically non-interesting for American anti-virus companies to investigate or handle.

The Trojan has its main component (appconf32.exe, stored in %AppData%) and several plugins which are specific to the installed software (browser) and visited websites. For banks it has special plugins (technically BHOs) that allow exchanging the account number of online banking transactions on the infected machine, effectively stealing the money out of the victims bank account.

Connecting to the Command & Control Server

There are a lot of things that do not match with the other man-in-the-browser Trojans such as ZeuS, Citadel and SpyEye. Instead of having a fixed domain (or a list of) for connecting to it’s command & control server, each sample has an initial domain and uses a domain generation algorithm (DGA) to generate the next ones (always the first 4 characters are altered). While leaving the C&C IP address the same for some time (several weeks), the domain changes nearly daily. For researchers unaware of this algorithm and technique this makes it very difficult to trace and also to blacklist. Several things make researching more tricky, for example it only downloads its plugins 24 hours after infection.

Here are for example the domains and the IPs of the C&C from the past days:

    3/18/2013   vhngedsafe.com      103.8.27.39
    3/19/2013   uuzledsafe.com      103.8.27.39
    3/20/2013   yypkedsafe.com      103.8.27.39
    3/21/2013   bjinedsafe.com      103.8.27.39
    3/22/2013   hlhredsafe.com      103.8.27.39

Our Virus Tracker system checks every day 129.564 potential domains if they are active, if they are expired and classifies them all (check out the previous blog post). We use Google’s DNS servers for the requests, thanks Google for not limiting the access! Below is the detailed listing of the possible domains in the DGA with the domain ending. Usually they pick a new domain ending every few months. There are more older botnets, however they are inactive.

    XXXXedsafe.com          15372 possible domains
    XXXXhuxmiax.com         15372 possible domains
    XXXXierihon.com          2196 possible domains
    XXXXtomvader.com        15372 possible domains
    XXXXednog.com           15372 possible domains
    XXXXapontis.com         15372 possible domains
    XXXXefnomosk.com         2196 possible domains
    XXXXdminmont.com        15372 possible domains
    XXXXesroater.com        15372 possible domains
    XXXXggelds.com           2196 possible domains
    XXXXmobama.com          15372 possible domains

Interestingly, right now – few days after doing an intensive investigation on the MultiBanker botnet, there is no C&C up and running. It could be a coincidence, or the criminals recognized our activities.

Who else is involved?

When researching a particular botnet or Trojan it’s always interesting to know who else is looking at the things you are looking at. For MultiBanker, we have following parties:

Other than that, it has not attracted much attention from other parties in the anti-virus and security industry (for the reason mentioned in the first paragraph). This article here should create a little bit more awareness of what is going on behind the scenes.

Sinkhole server by our colleagues

When we investigate a potential C&C there are a couple of questions to answer. Is it still active? Is it a sinkhole server? Sinkholes are usually passive servers to just log the request to subsequently generate statistics (as done on http://virustracker.info/). You just have to register a domain that is used by the bot – this can be a backup domain, an expired or a DGA-generated one.

What you can technically do on a sinkhole server is responding with a valid message to the infected machine, which usually would make the infected machine sticking to your server. Or in other words: The criminals lose a bot. If you do that with every bot, well, you take over the entire botnet! As this would raise alarms to the criminals, they would implement counter-measures (e.g. blacklisting of sinkholed domains) and would be counter-productive as at the same time the criminals also would be alerted that someone is snooping around.

We picked a random sinkhole domain and modified a sample to use it as C&C instead of the hard-coded one:

    yyqbierihon.com     82.165.25.210    Sinkhole by a German company

We were more than surprised to see that their server actually returns with a valid message (!).

The returned message from the C&C/sinkhole makes the bot returning the stolen data. In the screenshot you can see the stolen cookie belonging to Peter Kleissner, CEO of K&A, going to the German company operated server. Not nice.

2

At this point we will leave any conclusions open regarding the legality of instructing infected machines to send stolen data. However, we strongly discourage such a behavior and think this is counter productive.

Protecting against sinkholes

As mentioned, the most easy and effective way is by blacklisting the sinkholes. In fact, MultiBanker C&Cs distributes a blocklist to its infected machines although this blocklist is currently not maintained. In the first place (before blacklisting) you have to detect and know the sinkholes. As example, this is a sinkhole server (NS, domain, IP):

    NS          ns1.torpig-sinkhole.org
    Domain      ieqgapontis.com
    IP          82.165.25.210
    Owner       Sinkhole by 1&1 Internet AG

What you can do now is either blacklisting the NS (would be very generic), the IP address or the domain. Unfortunately due to an (intentionally?) broken DNS implementation the NS cannot always be queried for this sinkhole. Therefore the next point (layer) of detection would be the IP level. Here is an example code that we use ourselves during the domain classification on Virus Tracker:

#include <Windns.h>
#define Ip2Ulong(a,b,c,d)       (a + (b << 8) + (c << 16) + (d << 24))

int IsSinkholeByGermanCompany(char * Domain)
{
    DNS_RECORDA * DnsRecord;

    if (DnsQuery_A(Domain, DNS_TYPE_A, DNS_QUERY_BYPASS_CACHE, NULL, (PDNS_RECORD *)&DnsRecord, NULL) == DNS_ERROR_RCODE_NO_ERROR &&
        DnsRecord->Data.A.IpAddress == Ip2Ulong(82,165,25,210) )
        return 1;

    return 0;
}

Before anyone comes now up with the opinion this would help any criminal, these are just few lines, no rocket science. Banking Trojans are much more complex and in the cases of MultiBanker and Sinowal they already feature such a blacklist capability.

The money mule network

As mentioned initially, MultiBanker has the ability to steal money by exchanging the beneficiaries account number on bank transactions. Once the computer is infected, it is a piece of cake injecting malicious code into the browser process which then parses the internet traffic and manipulates and exchanges the “right” fields where necessary.

Committing a crime is easy – however, getting away with it not. What happens in 100% of the cases is that the account owner detects the money loss and reports it to his/her bank and the police. In as good as all cases the money is in fact gone (transacted), that is how online banking works (at last on the value date which is usually 1-2 business days after initiating the transaction). Though gone does not mean that you or the police cannot claim afterwards the money from the money mule – it is then just a legal question rather than a bank-technical-transaction one.

For obvious reasons the criminals cannot send the money directly to their own bank accounts (they would immediately get caught and arrested). What they do is recruiting people under false pretenses to provide bank accounts, pick up the money and send most of it further through Western Union. Then, they money trace stops, as the money goes to countries such as Russia or African states and the identities of the people picking up the money on the other end are usually faked. People can be tricked and get involved into this money laundering scheme by thinking they would get easily money – they are enticed by being told to keep 10%-20% as their salary.

We were checking the domains used by the MultiBanker people and one particular domain, zia-gruppe.com, did not fit into the DGA scheme. A short lookup reveals that it is being used in an email spam campaign to recruit money mules:

    Mitarbeiter gefragt: Arbeit für Dich! Gut bezahlte Arbeit
Wir bieten Dir die Möglichkeit an, das Geld ganz einfach zu verdienen. Möglich ist die Vereinbarung mit anderer Tätigkeit!
Arbeit in unserer Firma wird nicht mehr als 2-3 Stunden pro Tag 1-2 Mal pro Woche in Deinem Arbeitsplan in Anspruch nehmen.
Kurze Beschreibung der Tätigkeit:

1. Wir überweisen auf Dein Bankkonto ab 3000 bis 8000 Euro.
2. Nach dem Geldeingang hebst Du das Geld ab.
3. Du hast schon 20 % von dem überwiesenen Betrag verdient! 600-1600 Euro behältst Du für Dich!
4. Den restlichen Betrag übermittelst Du uns.

Betrag und Zahl von Überweisungen werden im Voraus vereinbart und können nach Deinem Wunsch beliebig sein. Diese Tätigkeit
ist absolut legal und verletzt keine Gesetze Deutschlands und EU. Wenn Du in unserem Angebot interessiert bist, teile uns
darüber per folgende e-Mailadresse mit: de@zia-gruppe.com. Wir kontaktieren Dich in möglichst kürzer Zeit und beantworten
alle Fragen. Beeile Dich, Zahl von Stellenangeboten ist begrenzt! Ihre E-Mailadresse haben wir aus offenen Quellen genommen.
Wir bitten Sie um Entschuldigung, wenn unsere E-Mail Sie gestört hat. Falls Sie Ihre E-Mailadresse aus unserem Verteiler 
löschen möchten, senden Sie eine leere E-Mail auf folgende E-Mailadresse: del@zia-gruppe.com

The text is in German, but these are the basic proposed conditions:

  • The criminals wire you 3000 EUR to 8000 EUR and you withdraw it
  • You can keep 20% as salary
  • You send the rest per Western Union, Paysafecard or Ukash
  • Work is only 2-3 hours/day and 1-2 days/week

We found following email addresses being used. They suggest that there is some kind of DGA used too (one scheme is de@XXXY-gruppe.com):

    de@zia-gruppe.com
    de@gds-gruppe.com
    de@zimm-team.com
    de@lmxx-group.com
    de@xemm-gruppe.com
    de@llks-group.com
    de@jyog-gruppe.com
    de@netca-gruppe.com
    de@komax-gruppe.com
    de@netca-gruppe.com
    de@gesd-gruppe.com
    ...
    de@finsk-group.com
    de@gelix-group.com
    de@jyj-group.com

A subsequent email from the MultiBanker people (to a potential recruited money mule) with more information on this “work” is published at http://www.konsumer.info/?p=25181.

Active money mule network

Nearly all of the previously mentioned emails were active in August, September and October 2012. However, we found following still active domains. You can probably still write the MultiBanker people by sending your application to “de@keri-group.com”.

All of them are hosted on 37.9.54.245 in Russia. As you can see in the screenshot, the website asks for an user id and password, however it remains unclear whether there is a real portal behind or not.

HK FinanzgruppeKeri Group

Conclusion

The MultiBanker gang is around since 2007 already and they know how to do their job. They know how to stay under the radar and keep attraction off. As they automatically change the used C&C domain every day, this requires automated systems to keep track of the domains. With Virus Tracker we have such a system, we see all the used domains and if there is any change we are the first ones after the criminals who know.

The next step to this would be a real police investigation, seizing and requesting all the records from the hosting, domain and email providers. It only requires one IP record where the criminals failed to use a VPN (for example if the VPN disconnects and the person does not realize immediately) to trace them back. Or maybe one VPN provider then has enough information (payment credit cards..) to trace them back. The issue is not lacking technical possibilities, it’s lacking interest (+ awareness + knowledge) in this case by authorities.