1

1. Operation Emmental
David Sancho
FTR team
11/10/2014 Copyright 2014 Trend Micro Inc. 1

2. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

3. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

4. The Way In…
11/10/2014 Copyright 2014 Trend Micro Inc.
2

5. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

6. One more certificate on the list…
11/10/2014 Copyright 2014 Trend Micro Inc.
2

7. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

8. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

9. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

10. But what’s
hhaappppeenniinngg iinn
reality?
11/10/2014 Copyright 2014 Trend Micro Inc.
2

11. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

12. Attacker’s Infrastructure
DNS servers
C&C servers Windows Trojan
Hosting servers
SMS receiver
11/10/2014 Copyright 2014 Trend Micro Inc.
2
Android Trojan

13. Domains involved
 hxxp://security-apps.net/Raiffeisen.apk
 hhxxxxpp::////sseeccuurriittyy--aappppss..bbiizz//RRaaiiffffeeiisseenn..aappkk
 hxxp://tc-zo.ch/security/ZKB.apk
11/10/2014 Copyright 2014 Trend Micro Inc.
2

14. Who registered those?
Oleg Makarov
oleg_makarov555@yahoo.com
11/10/2014 Copyright 2014 Trend Micro Inc.
2

15. Other domains from our friend Oleg
 banking-security.net
 certificate-security.
com
 chromeupd.pw
safe-browser.biz
safe-time.net
security-apps.biz
security-apps.net
11/10/2014 Copyright 2014 Trend Micro Inc.
2
 ffupdate.pw
 ieupdate.pw
sfotware.pw
softwareup.pw

16. openssl s_client –connect
5.39.219.212:443 | openssl x509 -text
DNS:default, DNS:93.171.202.71, DNS:e-finance.postfinance.ch, DNS:banking.bekb.ch,
DNS:cs.directnet.com, DNS:e-banking.gkb.ch, DNS:eb.akb.ch, DNS:ebanking-ch.ubs.com,
DNS:ebanking-ch1.ubs.com, DNS:ebanking-ch2.ubs.com, DNS:ebanking.bkb.ch,
DNS:inba.lukb.ch, DNS:netbanking.bcge.ch, DNS:onba.zkb.ch, DNS:tb.raiffeisendirect.ch,
DNS:www.credit-suisse.com, DNS:credit-suisse.com, DNS:www.onba.ch, DNS:onba.ch,
DNS:www.postfinance.ch, DNS:postfinance.ch, DNS:www.raiffeisen.ch,
DNS:raiffeisen.ch, DNS:www.ubs.com, DDNNSS::uubbss..ccoomm,, DDNNSS::wwwwww..zzkkbb..cchh,, DDNNSS::zzkkbb..cchh,,
DNS:wwwsec.ebanking.zugerkb.ch, DNS:banking.raiffeisen.at,
DNS:online.bankaustria.at, DNS:ebanking.bawagpsk.com, DNS:netbanking.sparkasse.at,
DNS:ebanking.easybank.at, DNS:banking.privatbank.at, DNS:bankaustria.at,
DNS:www.bankaustria.at, DNS:raiffeisen.at, DNS:www.raiffeisen.at, DNS:privatbank.at,
DNS:www.privatbank.at, DNS:sparkasse.at, DNS:www.sparkasse.at, DNS:bawagpsk.com,
DNS:www.bawagpsk.com, DNS:easybank.at, DNS:www.easybank.at, DNS:*.google.com,
DNS:*.android.com, DNS:*.google.de, DNS:*.google.nl, DNS:*.gstatic.com,
DNS:*.youtube.com, DNS:google.com, DNS:youtube.com, DNS:facebook.com,
DNS:*.facebook.com, DNS:gmx.com, DNS:gmx.de, DNS:*.gmx.com, DNS:*.gmx.de,
DNS:*.gmx.ch, DNS:*.gmx.at, DNS:yahoo.com, DNS:www.yahoo.com,
DNS:microsoft.com, DNS:www.microsoft.com, DNS:gmail.com, DNS:paypal.com,
DNS:*.paypal.com, DNS:stats2.bekb.ch, DNS:sdc.credit-suisse.com,
DNS:portal.privatbank.at, DNS:portal.raiffeisen.at, DNS:stat.swedbank.se,
11/10/2014 Copyright 2014 Trend Micro Inc.
2

17. OObbnniilliimm
rid 11/10/2014 Copyright 2014 Trend Micro Inc.
2

18. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

19. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

20. TThhaannkk yyoouu!!