Operation Emmental
David Sancho
FTR team
11/10/2014 Copyright 2014 Trend Micro Inc. 1
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
The Way In…
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
One more certificate on the list…
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
But what’shappening in happening in
reality?11/10/2014 Copyright 2014 Trend Micro Inc.
2
11/10/2014 Copyright 2014 Trend Micro Inc.2
Attacker’s Infrastructure
DNS servers
Windows TrojanC&C servers
Hosting servers
11/10/2014 Copyright 2014 Trend Micro Inc.2
SMS receiverAndroid Trojan
Windows TrojanC&C servers
Domains involved
hxxp://security-apps.net/Raiffeisen.apk
hxxp://security-apps.biz/Raiffeisen.apk hxxp://security-apps.biz/Raiffeisen.apk
hxxp://tc-zo.ch/security/ZKB.apk
11/10/2014 Copyright 2014 Trend Micro Inc.2
Other domains from our friend Oleg
banking-security.net
certificate-security.com
chromeupd.pw
safe-browser.bizsafe-time.netsecurity-apps.bizsecurity-apps.net
11/10/2014 Copyright 2014 Trend Micro Inc.2
chromeupd.pw
ffupdate.pw
ieupdate.pw
security-apps.netsfotware.pwsoftwareup.pw
openssl s_client –connect 5.39.219.212:443 | openssl x509 -text
DNS:default, DNS:93.171.202.71, DNS:e-finance.postfinance.ch, DNS:banking.bekb.ch, DNS:cs.directnet.com, DNS:e-banking.gkb.ch, DNS:eb.akb.ch, DNS:ebanking-ch.ubs.com, DNS:ebanking-ch1.ubs.com, DNS:ebanking-ch2.ubs.com, DNS:ebanking.bkb.ch, DNS:inba.lukb.ch, DNS:netbanking.bcge.ch, DNS:onba.zkb.ch, DNS:tb.raiffeisendirect.ch, DNS:www.credit-suisse.com, DNS:credit-suisse.com, DNS:www.onba.ch, DNS:onba.ch, DNS:www.postfinance.ch, DNS:postfinance.ch, DNS:www.raiffeisen.ch, DNS:raiffeisen.ch, DNS:www.ubs.com, DNS:ubs.com, DNS:www.zkb.ch, DNS:zkb.ch, DNS:raiffeisen.ch, DNS:www.ubs.com, DNS:ubs.com, DNS:www.zkb.ch, DNS:zkb.ch, DNS:wwwsec.ebanking.zugerkb.ch, DNS:banking.raiffeisen.at, DNS:online.bankaustria.at, DNS:ebanking.bawagpsk.com, DNS:netbanking.sparkasse.at, DNS:ebanking.easybank.at, DNS:banking.privatbank.at, DNS:bankaustria.at, DNS:www.bankaustria.at, DNS:raiffeisen.at, DNS:www.raiffeisen.at, DNS:privatbank.at, DNS:www.privatbank.at, DNS:sparkasse.at, DNS:www.sparkasse.at, DNS:bawagpsk.com, DNS:www.bawagpsk.com, DNS:easybank.at, DNS:www.easybank.at, DNS:*.google.com, DNS:*.android.com, DNS:*.google.de, DNS:*.google.nl, DNS:*.gstatic.com, DNS:*.youtube.com, DNS:google.com, DNS:youtube.com, DNS:facebook.com, DNS:*.facebook.com, DNS:gmx.com, DNS:gmx.de, DNS:*.gmx.com, DNS:*.gmx.de, DNS:*.gmx.ch, DNS:*.gmx.at, DNS:yahoo.com, DNS:www.yahoo.com, DNS:microsoft.com, DNS:www.microsoft.com, DNS:gmail.com, DNS:paypal.com, DNS:*.paypal.com, DNS:stats2.bekb.ch, DNS:sdc.credit-suisse.com, DNS:portal.privatbank.at, DNS:portal.raiffeisen.at, DNS:stat.swedbank.se,
11/10/2014 Copyright 2014 Trend Micro Inc.2
ObnilimObnilimrid
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
11/10/2014 Copyright 2014 Trend Micro Inc.2
Thank you!Thank you!
Top Related