We are seeing a trend where new banking trojans are emerging on the threat landscape very rapidly.  First came Bugat followed by Carberp.  Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye.  Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.

At the time of writing this article, AV coverage for this malware looks very disappointing. Out of 42 antivirus software listed on VirusTotal only two were able to detect it as malicious. Screenshot from VT:

Complete report can be found here: MD5: 557597074df3d3ce0e1674285ef19732

Here are some high level features offered by this malware:

1. Bot herders can supply a list of URLs (mostly of banking sites) so that the malware can start intercepting these web pages.  What this means is that whenever a user tries to visit these web sites, the malware will start submitting the web form data back to its CnC.  These web forms and the data inside them will be intercepted well before its gets encapsulated into HTTPS.  All the information including login credentials will be in hands of bot herders in plain text.

2. It's fully capable of Man in the Browser (MITB) attacks. This means that it can intercept original web contents coming from legitimate servers in order to append its own crafted HTML.  This is normally done to ask the user for more information than was originally requested by the actual server, like your PIN numbers, Social Security number etc.

3. It can also steal HTML pages from your browsing sessions.  Sound strange?  Well for any successful MITB attack, the attacker needs to know about the HTML being served by the legitimate server.  Just imagine an attacker wants to modify HTML pages for the Wells Fargo "Add New Payee" web page.  Unless the attacker himself has an account with Wells Fargo, he may not know the contents of this page.  By stealing this private page while a legitimate user is browsing to it, the attacker is in a perfect position to prepare his future MITB attack.

How does this all happen? Let's take a closer look.

At the time of writing this post, I can see that the bot herders are instructing its zombies to target over a dozen banks.  This is a huge list , I rarely see even bot herders behind Zbot targeting so many banks.

Configuration file:

Above is the configuration file for the malware containing all the web urls the bot herders want to intercept for information stealing.  In this list, one can see many famous banks like Wells Fargo, Bank Of America, Citibank etc.  Many other famous web sites like Amazon.com, Myspace, and Google mail are in the target list as well.

Stealing web forms:

Note: The above credentials are fake and were supplied by me to generate this particular scenario.

Stealing HTML pages:

I must say that with respect to the feature set, this malware is almost equivalent to other known banking trojans.  Although this malware may have few advantages over other famous banking trojans like Zbot and SpyEye.  First of all it's private code so unlike other tool kits it wont cost the bot herders thousands of dollars.  Unlike Zbot which has become a victim of its own success, this malware can fly under the radar for a long time. If the attackers want a new feature, they don't need to wait for a new toolkit version, a change can be made right away.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM