ESET Uncovers Apache Malware Targeting Online Banking
SAN DIEGO, Dec. 19, 2012 /PRNewswire/ — Online banking customers are at risk from the latest malicious software uncovered by researchers at ESET, the global leader in proactive digital protection with a 25 year track record of developing award-winning technology.
Analysis of a malicious Apache module, detected by ESET as Linux/Chapro.A, found that the world’s most widely used web server, Apache, is being used to carry out these attacks, injecting malicious content into web pages served by an infected Linux server, without the knowledge of the website owner. Although the malware can serve practically any type of content, in this specific case it installs a variant of Win32/Zbot, malware designed to steal information from online banking customers. While this particular version of Win32/Zbot targets European and Russian banking institutions, Linux/Chapro.A could eventually be used to mount attacks on American banks.
“The attack described in the present analysis shows the increased complexity of malware attacks,” said Pierre-Marc Bureau, ESET security intelligence program manager. “This complicated case spreads across three different countries, targeting users from a fourth one, and making it very hard for law enforcement agencies to investigate and mitigate its effects.”
The malicious module has a couple of interesting capabilities used to reduce its chances of being spotted by system administrators, like setting cookies on the victim’s machine and hiding from web browsers in which it might produce an error. ESET researchers first discovered Linux/Chapro.A in November. The exploit was first blocked by ESET through generic detection, even before the link was added to the URL blacklist. At the time of the analysis, the malicious command and control server was being hosted in Germany, but has recently gone offline.
Based on ESET’s analysis, the iframe injected by Linux/Chapro.A points to a “Sweet Orange” exploit pack landing page.
“At the time of our analysis, the exploit pack was being hosted in Lithuania. The pack tries to exploit several vulnerabilities found in modern web browsers and plugins,” said Bureau. “Our investigation reveals, the final purpose of the attack is to install a variant of Win32/Zbot, also known as ZeuS. For many years, ZeuS has been widely used to steal banking related information.”
Once the user has logged into his account, the malware will inject a pop-up asking for the user’s CVV code. The malware will then try to send the user credentials along with the CVV to the botnet operator. While the ESET research team has not witnessed any other installations of Linux/Chapro.A in the wild, it has observed thousands of users accessing the “Sweet Orange” exploit pack before ESET blocked access to this server with their products.
For more information, please visit the ESET Threat Blog: Malicious Apache module used for content injection: Linux/Chapro.A
ESET is on the forefront of security innovation, delivering trusted protection to make the Internet safer for businesses and consumers. IDC has recognized ESET as a top five corporate anti-malware vendor and one of the fastest growing companies in its category. Trusted by millions of users worldwide, ESET is one of the most recommended security solutions in the world. ESET NOD32 Antivirus consistently achieves the highest accolades in all types of comparative testing, and powers the virus and spyware detection in ESET Smart Security, ESET Cybersecurity for Mac, ESET Endpoint Security and ESET Endpoint Antivirus. ESET has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Kosice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia), and an extensive partner network for 180 countries. For more information, visit http://www.eset.com/us or call +1 (619) 876-5400.