phishing scams Reading Time: 6 minutes

The immense wave of phishing attacks hit the users of major banks in Turkey. Poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover malware attached, the phishing waves spread from many countries around the world but were stopped by Comodo resources.

The emails: deception is knocking into your inbox

The phishing emails imitated various messages from major Turkish banks — Türkiye İş Bankası, Garanti Bankasi, T.Halk Bankasi, Yapi ve Kredi Bankasi, T.C. Ziraat Bankasi.

501 emails were disguised as messages from Turkiye ls Bankasi bank, the first and the largest bank in Turkey. The message you can see in the screen below in Turkish means “5406 ** ** 9306 dated September 10, 2018, is attached to the details of your Credit Card statement”.

phishing attacks

Another 424 emails imitated Garanti Bankasi messages…

email phishing

… and 865 pretended to be an email from T. Halk Bankasi A.S.

Phishing mail

…619 emails mimicked Yapi ve Kredi Bankasi

phishing attacks

… and another 279 wearied the mask of T.C. Ziraat Bankasi.

Phishing Mails

All emails contain a “debt” message or “credit card statement” to lure users in opening the attached files. Of course, the files contained malware. But of what kind?

The malware: opening door for the enemy
Actually, all emails carried two types of malware files: .EXE and .JAR. Below is the analysis of the .JAR file conducted by the Comodo Threat Research Labs analysts.

malware file

Let’s see how this sneaky malware can harm users if they run it.
Firstly, it tries to detect and quit security applications running at the target machine. It calls taskkill multiple times, with a long list of executables from various vendors. Then it drops a .reg file and imports it to the registry.

malware exe file

Thus it changes the attachment manager settings to allow running executable files received from the Internet without any warnings, disables task manager and alters IEFO registry keys of security applications.

Malware text file

Further, it creates an installation ID and puts it in a text file in a randomly generated path. The attackers will use this ID to identify the infected machine.

VBS files

After that, it drops and runs two VBS files to detect the antivirus and firewall installed on the system.

startup key

Then it adds a startup key to run upon each restart. The autorun value is added for a current user only so that no alarming UAC prompt will appear. And then it’s launched from the new location

JAR file

Executed from the new location or upon system’s restart, it drops another .JAR file “_0.<random_number>.class” to Temporary folder and run it.

WMIADAP application

Significantly, the .JAR is launched via WMIADAP application. As it’s a Windows component, some security software might allow its execution without any restriction. One more trick to bypass protection.

Now is the moment of the truth: we can see the real face of the malware attacking the banks’ client. It’s a Java-written backdoor known as TrojWare.Java.JRat.E. Its purpose is to provide unauthorized remote access to the infected machines.

JAR package

As you see on the screen, the JAR package contains an encrypted file – “mega.download”. Decrypted, it reveals the malware properties:

ywe data

What is left to do is finding out what’s hiding behind the “ywe.u” resource.

CONFIG file

Further on, we can extract and decrypt the malware .CONFIG file to discover its configuration options.

malware data

And here you go! We see now that the malware connects to the attackers’ server 185.148.241.60 to report about successful infecting the new victim and then waits for instructions from the perpetrators.

conversation filter

You must be wondering how exactly the malware harms the user. As any backdoor, the malware enables covert access to the compromised machine and thus hand over it under total control of the cybercriminals. They can steal information, add another malware or use the infected machine to spread malware and attack other users all over the world.

“It’s definitely more complicated attacks that it seems to be from the first sight”, says Fatih Orhan, The Head of The Comodo Threat Research Labs. “It’s not a regular phishing to steal banking credentials but an effort to implant a malware that gives the attackers total control of the infected machines for a long time while victims might remain unaware of the fact their computers are in the perpetrators’ hands.

Meantime the perpetrators can covertly utilize the compromised machines in different ways for their multiple criminal purposes and profit. For example, initially they can steal credentials for a victim’s accounts.Then they can use an infected machine as a part of a botnet to spread malware or conduct DDoS attacks on other users. Besides that, they can constantly spy the victims’ activity.

Also, the scope of the attacks is impressive. It looks like the attackers tried to create a network of thousands controlled computers for conducting multiple attacks around the world. I hate to think how many users would have been victimized if Comodo hadn’t stopped those attacks”.
Live secure with Comodo!

The heatmaps and IPs used in the attacks

Türkiye İş Bankası

The attack was conducted from Turkey, Cyprus and the USA IPs. It started on September 10, 2018 at 05:01:49 UTC and ended on September 10, 2018 at 07:10:10 UTC.

Türkiye İş Bankası

The IPs used in the attack

CY93.89.232.206161
TR79.123.150.102
TR85.159.70.2431
US64.50.180.173
67.210.102.208
1
336

Garanti Bankasi

The attack was conducted from Cyprus and the United Kingdom IPs. It started on September 24, 2018 at 09:38:29 UTC and ended on September 26, 2018 at 11:01:10 UTC.

Garanti Bankasi

The IPs used in the attack

CY93.89.232.206184
GB163.172.197.245240

T.Halk Bankasi

The attack was conducted from Cyprus, United Kingdom, Turkey, the United States, and India. It started on September 24, 2018 at 10:28:06 UTC and ended on September 27, 2018 at 14:54:55 UTC.T.Halk Bankasi

Top 5 of the IPs used in the attack

US67.210.102.208629
CY93.89.232.206152
TR185.15.42.7436
US172.41.40.25424
TR95.173.186.19617

Cyprus

T.C. Ziraat Bankasi

The attack was conducted from Turkey and Cyprus IPs. It started on September 05, 2018 at 12:55:50 UTC and ended on September 24, 2018 at 09:32:18 UTC.

T.C. Ziraat Bankasi

The IPs used in the attack

CY93.89.232.206105
TR31.169.73.61279

Yapi ve Kredi Bank
The attack was conducted from Turkey, South Africa, and Germany IPs. It started on September 25, 2018 at 09:54:48 UTC and ended on September 26, 2018 at 15:10:49 UTC.

Top 5 IPs used in the attack

TR31.169.73.61374
TR193.192.122.98129
TR194.27.74.5526
TR193.140.143.1520
TR193.255.51.10510
START FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE