Webinject files are now ubiquitous in the banking Trojan world to aid financial fraud. What started as private and malware family dependent code has now blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers for fully functional webinject packages providing all the functionalities required to bypass the latest security measures put forth by financial institutions. Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, going from simple phishing-like functionalities to automatic transfer system (ATS) and two-factor authentication bypass, along with mobile components and full-fledged web control panels to manage money exfiltration through fraudulent money transfers. Nowadays, a malware able to inject arbitrary HTML content in a browser is all that is needed for a resourceful bot master, as he can now outsource practically every other step required to perform successful fraudulent financial transfer. This is confirmed by our recent observation of several malware families using the same webinject kits. Our research will try to answer this question: will we see a consolidation phase leading to the emergence of a few select omnipresent webinject kits, similar to what we have seen in the Web exploit kit scene?

2. The evolution of webinjects
Jean-Ian Boutin
ESET

3. •WebinjectEvolution
•WebinjectCommoditization
•Emergence of Popular Kits
•WebinjectDelivery
Outline

4. WebinjectEvolution

5. •Keyloggers
•Form grabbing
–Inspect GET/POST requests
•Injects are specifically made for one banking Trojan platform
•Only a couple of institutions are available
•Institutions are geo-located
The Beginnings

6. Keyword indicating which URL is targeted
Popular webinjectformat

7. Popular webinjectformat
Target URL

8. Popular webinjectformat
Flags (Get, Post)

9. Popular webinjectformat
Keywords specifying where the code should be injected in the webpage

10. Popular webinjectformat
Code to inject

11. •Login grabber
•Injection of additional fields
•Balance grabber/changer
•TAN Grabber
•Full Automatic Transfer Systems (ATS or AZ -avtozaliv)
Increase in Functionalities

12. Phish-like inject

13. •Allow transfers to be done automatically
•Inject code able to browse to correct page, fill transfer information, etc
•Not as attractive nowadays due to complexity
Automatic Transfer Systems

14. •Several form factor exists
Transaction Authorization Number (TAN)

15. •Inject content tricking the user into entering a TAN
Social Engineering (1/2)

16. Social Engineering (2/2)
•Inject content tricking the user into installing a malicious application

17. Popular WebservicesTargeted
•Extra content is injected as soon as user logs into his account
•Usually phishing-like webinjects

18. WebinjectCommoditization

19. Custom Tools

20. Cheap Webinjects

22. ATS
•Some webinjectseller can include android components to bypass mTAN

23. Panels
•Some scripts with advanced capabilities come with an administration panel

24. •Two types of offering for webinject
–Public
–Private
•Partnership, where the revenue can be shared, are also mentioned by some inject coders
Public/Private webinjectand Partnerships

25. Emergence of Popular Kits

26. ATSEngine
•ATSEnginepanel screenshots
•Seen in Qadars, ZeusVM, Neverquest/Vawtrak, Citadel, GOZ

27. Injeria
•Used in several banking Trojans: Qadars, Tilon, Torpig
•JS downloaded from external source, using a distinctive URL

28. •Several different project types
–log-<project-name>
–mob-<project-name>
–req-<project-name>
–app-<project-name>
Injeria

29. •The code and URL structures
•The admin panel design
•Sometimes underground adverts and features correlation is possible
How to track them?

30. ATSEngine-ID

31. ATSEngine-ID

32. WebinjectDelivery

33. Inline vs. external downloads

34. Inline vs. external downloads

35. •Advantages
–Hinder forensic analysis
–Feature based selling
–Maintenance by original seller
–New webinjectcode does not have to be downloaded right away by the bot
JS –External Download

36. External Sever Interactions

37. External Server Interactions

38. Conclusion

39. •Webinjects have evolved tremendously in the past few years
•In several banking Trojans, it is the true attack code
•Webinjectcommoditization is well in place
•As different webinjectplatforms are available, some are more popular than others
Conclusion

40. •Special thanks to Anton Cherepanov
•Questions?
@jiboutin
Thank You!!