ESET Uncovers Apache Malware Targeting Russian and European Banks
ESET, the leader in proactive protection celebrating 25 years of its technology this year, unveils its latest research on the malicious Apache module detected by ESET as Linux/Chapro.A. The primary purpose of Linux/Chapro.A is to inject malicious content into web pages that are served by an infected web server. Although the module can serve practically any type of content, in this specific case it installs a variant of Win32/Zbot that is designed to steal banking information from infected systems. This particular version of Win32/Zbot targets European and Russian banking institutions. Apache web server is the world’s most popular HTTP server software and serves more than half of all active websites globally.
“The attack described in the present analysis shows the increased complexity of malware attacks. This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate its effects,” says Pierre-Marc Bureau, ESET Security Intelligence Program Manager.
The malicious module has a couple of interesting capabilities used to reduce its chances of being spotted by system administrators, like setting cookies on the victim machine and hiding from web browsers in which it might produce an error. ESET researchers first discovered Linux/Chapro.A in November. The exploit was first blocked by ESET through generic detection, even before the link was added to the URL blacklist. At the time of our analysis, the malicious command and control server was being hosted in Germany, but has recently gone offline.
Based on ESET’s analysis, the iframe injected by Linux/Chapro.A points to a “Sweet Orange” exploit pack landing page. “At the time of our analysis, the exploit pack was being hosted in Lithuania. The pack tries to exploit several vulnerabilities found in modern web browsers and plugins,” says Pierre-Marc Bureau. “As our investigation revealed, the final purpose of the attack is to install a variant of Win32/Zbot, also known as ZeuS. For many years, ZeuS has been widely used to steal banking related information,” he adds.
Once the user has logged in his account, the malware will inject a pop-up asking for his card’s CVV code. The malware will then try to send the user credentials along with the CVV to the botnet operator. While ESET research team has not witnessed any other installations of Linux/Chapro.A in the wild, it has observed thousands of users accessing the Sweet Orange exploit pack before we blocked access to this server in our products.
For more please visit ESET Threat Blog.
ESET, the pioneer of proactive protection and the maker of the award-winning NOD32 technology which is celebrating its 25th anniversary, is a global provider of security solutions for businesses and consumers. The Company continues to lead the industry in proactive threat detection. By obtaining the 75th VB100 award in September 2012, ESET NOD32 Antivirus holds the world record for the number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. ESET has been selected as one of the most innovative companies in Europe for the 2011 HSBC European Business Awards and holds number of accolades from AV-Comparatives, AV Test and other organizations. ESET NOD32 Antivirus, ESET Smart Security and ESET Cyber Security (solution for Mac) are trusted by millions of global users and are among the most recommended security solutions in the world.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia), and an extensive partner network for more than 180 countries.