Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
The immense wave of phishing attacks hit the users of major banks in Turkey. Poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover malware attached, the phishing waves spread from many countries around the world but were stopped by Comodo resources.
The emails: deception is knocking into your inbox
The phishing emails imitated various messages from major Turkish banks — Türkiye İş Bankası, Garanti Bankasi, T.Halk Bankasi, Yapi ve Kredi Bankasi, T.C. Ziraat Bankasi.
501 emails were disguised as messages from Turkiye ls Bankasi bank, the first and the largest bank in Turkey. The message you can see in the screen below in Turkish means “5406 ** ** 9306 dated September 10, 2018, is attached to the details of your Credit Card statement”.
Another 424 emails imitated Garanti Bankasi messages…
… and 865 pretended to be an email from T. Halk Bankasi A.S.
…619 emails mimicked Yapi ve Kredi Bankasi
… and another 279 wearied the mask of T.C. Ziraat Bankasi.
All emails contain a “debt” message or “credit card statement” to lure users in opening the attached files. Of course, the files contained malware. But of what kind?
The malware: opening door for the enemy
Actually, all emails carried two types of malware files: .EXE and .JAR. Below is the analysis of the .JAR file conducted by the Comodo Threat Research Labs analysts.
Let’s see how this sneaky malware can harm users if they run it.
Firstly, it tries to detect and quit security applications running at the target machine. It calls taskkill multiple times, with a long list of executables from various vendors. Then it drops a .reg file and imports it to the registry.
Thus it changes the attachment manager settings to allow running executable files received from the Internet without any warnings, disables task manager and alters IEFO registry keys of security applications.
Further, it creates an installation ID and puts it in a text file in a randomly generated path. The attackers will use this ID to identify the infected machine.
After that, it drops and runs two VBS files to detect the antivirus and firewall installed on the system.
Then it adds a startup key to run upon each restart. The autorun value is added for a current user only so that no alarming UAC prompt will appear. And then it’s launched from the new location
Executed from the new location or upon system’s restart, it drops another .JAR file “_0.<random_number>.class” to Temporary folder and run it.
Significantly, the .JAR is launched via WMIADAP application. As it’s a Windows component, some security software might allow its execution without any restriction. One more trick to bypass protection.
Now is the moment of the truth: we can see the real face of the malware attacking the banks’ client. It’s a Java-written backdoor known as TrojWare.Java.JRat.E. Its purpose is to provide unauthorized remote access to the infected machines.
As you see on the screen, the JAR package contains an encrypted file – “mega.download”. Decrypted, it reveals the malware properties:
What is left to do is finding out what’s hiding behind the “ywe.u” resource.
Further on, we can extract and decrypt the malware .CONFIG file to discover its configuration options.
And here you go! We see now that the malware connects to the attackers’ server 18.104.22.168 to report about successful infecting the new victim and then waits for instructions from the perpetrators.
You must be wondering how exactly the malware harms the user. As any backdoor, the malware enables covert access to the compromised machine and thus hand over it under total control of the cybercriminals. They can steal information, add another malware or use the infected machine to spread malware and attack other users all over the world.
“It’s definitely more complicated attacks that it seems to be from the first sight”, says Fatih Orhan, The Head of The Comodo Threat Research Labs. “It’s not a regular phishing to steal banking credentials but an effort to implant a malware that gives the attackers total control of the infected machines for a long time while victims might remain unaware of the fact their computers are in the perpetrators’ hands.
Meantime the perpetrators can covertly utilize the compromised machines in different ways for their multiple criminal purposes and profit. For example, initially they can steal credentials for a victim’s accounts.Then they can use an infected machine as a part of a botnet to spread malware or conduct DDoS attacks on other users. Besides that, they can constantly spy the victims’ activity.
Also, the scope of the attacks is impressive. It looks like the attackers tried to create a network of thousands controlled computers for conducting multiple attacks around the world. I hate to think how many users would have been victimized if Comodo hadn’t stopped those attacks”.
Live secure with Comodo!
The heatmaps and IPs used in the attacks
Türkiye İş Bankası
The attack was conducted from Turkey, Cyprus and the USA IPs. It started on September 10, 2018 at 05:01:49 UTC and ended on September 10, 2018 at 07:10:10 UTC.
The IPs used in the attack
The attack was conducted from Cyprus and the United Kingdom IPs. It started on September 24, 2018 at 09:38:29 UTC and ended on September 26, 2018 at 11:01:10 UTC.
The attack was conducted from Cyprus, United Kingdom, Turkey, the United States, and India. It started on September 24, 2018 at 10:28:06 UTC and ended on September 27, 2018 at 14:54:55 UTC.
Top 5 of the IPs used in the attack
T.C. Ziraat Bankasi
The attack was conducted from Turkey and Cyprus IPs. It started on September 05, 2018 at 12:55:50 UTC and ended on September 24, 2018 at 09:32:18 UTC.
Yapi ve Kredi Bank
The attack was conducted from Turkey, South Africa, and Germany IPs. It started on September 25, 2018 at 09:54:48 UTC and ended on September 26, 2018 at 15:10:49 UTC.
Top 5 IPs used in the attack
Tags: Email Security,Phishing,Phishing Attacks,Turkish Banks,cybersecurity,firewall
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Reading Time: 4 minutes There should be no doubt in anyone’s mind that the coronavirus pandemic will reshape our education systems. It has already altered how students around the world learn and share knowledge with their peers in just a matter of months. Those changes can give insight into how education will progress in the long run, for better…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats