Webinject files are now ubiquitous in the banking Trojan world to aid financial fraud. What started as private and malware family dependent code has now blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers for fully functional webinject packages providing all the functionalities required to bypass the latest security measures put forth by financial institutions.
Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, going from simple phishing-like functionalities to automatic transfer system (ATS) and two-factor authentication bypass, along with mobile components and full-fledged web control panels to manage money exfiltration through fraudulent money transfers.
Nowadays, a malware able to inject arbitrary HTML content in a browser is all that is needed for a resourceful bot master, as he can now outsource practically every other step required to perform successful fraudulent financial transfer.
This is confirmed by our recent observation of several malware families using the same webinject kits. Our research will try to answer this question: will we see a consolidation phase leading to the emergence of a few select omnipresent webinject kits, similar to what we have seen in the Web exploit kit scene?
5. •Keyloggers
•Form grabbing
–Inspect GET/POST requests
•Injects are specifically made for one banking Trojan platform
•Only a couple of institutions are available
•Institutions are geo-located
The Beginnings
11. •Login grabber
•Injection of additional fields
•Balance grabber/changer
•TAN Grabber
•Full Automatic Transfer Systems (ATS or AZ -avtozaliv)
Increase in Functionalities
13. •Allow transfers to be done automatically
•Inject code able to browse to correct page, fill transfer information, etc
•Not as attractive nowadays due to complexity
Automatic Transfer Systems
23. Panels
•Some scripts with advanced capabilities come with an administration panel
24. •Two types of offering for webinject
–Public
–Private
•Partnership, where the revenue can be shared, are also mentioned by some inject coders
Public/Private webinjectand Partnerships
35. •Advantages
–Hinder forensic analysis
–Feature based selling
–Maintenance by original seller
–New webinjectcode does not have to be downloaded right away by the bot
JS –External Download
39. •Webinjects have evolved tremendously in the past few years
•In several banking Trojans, it is the true attack code
•Webinjectcommoditization is well in place
•As different webinjectplatforms are available, some are more popular than others
Conclusion