Examining Malware Web Browser Injections

Posted on 2018-11-13 by Adam Swanda

Banking malware and information stealing malware are some of the most popular threats in today's landscape. Many stealers will collect information and credentials from locally installed applications such as web browsers, email and instant messaging clients, and other common software. Banking trojans, on the other hand, go the extra mile to pilfer data and use what is called Web browser injections, more commonly called "web injects". Web injects are code within malware that can inject HTML and JavaScript directly into otherwise legitimate websites a victim visits. This has the effect of modifying rendered browser content to achieve any number of goals the malicious actor chooses, such as adding, removing, or modifying text, inserting form fields, or capturing data entered into fields.

Overview

The biggest target of malicious web injects are financial institution websites. Threat actors will create highly specialized injections to trick users into entering confidential information, or after stealing money from a user, an injection could even make it seem that their account has more money in it than it really does. While web injections are an old technique for banking trojans, it is especially effective and continues to be used by almost every major financially motivated malware.

All of this is possible through what's known as a Man-In-The-Browser (MITB) attack because the malicious activity occurs within the victims' web browser. At a high level, malware will inject malicious code into a running browser, and when specific Microsoft Windows API calls are made for HTTP traffic, those calls will be intercepted so web content can be changed on-the-fly. This is known as API hooking and allows malware to monitor for specific functions, intercept them, and make changes to the functions result.

Web Inject Use-Cases

Common Goals of Financial Web Injects

  • Capture Confidential Account Information
    • Bank Account Number, Routing Number, Credit/Debit Card Numbers
  • Stealing Banking Credentials
    • This information is most often sold in bulk on underground forums
  • Perform Funds Transfers
    • Complex injection to make fraudulent transfers and modify the victims' balance, so they do not notice the money is missing
    • These attacks seem to be less common due to the complexity involved and advancements in banking security technologies

Most commonly web injection tactics are used for financial gain, but they can also take a more social-engineering focused approach to capture different information, such as prompting users for additional information that the legitimate websites wouldn't ask for.

Common Goals of Social-Engineering Focused Web Injects

  • Capture Debit Card PINs
  • Capture Drivers license information
  • Capture Date of Birth
  • Capture Social Security Number
  • Capture of Credentials from Social Media Websites
    • FaceBook, Google, Twitter, etc.

The social-engineering focused attacks are likely to be used in future attacks involving identity theft or to be sold in combination with information gathered from the first list above.

Web injects can also be used in more indirect means. There have been cases where users have invisible iframes places over their browser tabs to generate advertising revenue.

From Malware to Browser

Before malware can begin to steal information, it must first inject itself into the web browser. Typically, the primary malware component performs an infinite loop to enumerate all running processes to look for web browsers it can inject into. A common process enumeration loop is done through API calls to CreateToolhelp32SnapShot, Process32FirstW, ProcessNextW. Once a process is found, such as firefox.exe, chrome.exe, or iexplore.exe, the malware will inject a malicious DLL into the targeted browser. Process injection can be done using many different methods, but the most common is through the use of the calls OpenProcess, VirtualAllocEx, WriteProcessMemory, and finally CreateRemoteThread to run the injected code.

Once running in the browser, the malware will hook API functions responsible for sending and receiving HTTP traffic. Once an API call is detected to send am HTTP request, that call is intercepted, the visited website is checked against a list of target websites, and if a match is found the malware will modify the HTTP response to insert malicious HTML or JavaScript content.

Hooking

One commonly used method of API Hooking is Import Address Table (IAT) hooks. IAT Hooking has been used by many malware families, specifically banking trojans, but also keyloggers and information stealers. An IAT is essentially a lookup table that holds the addresses of every function a program needs in memory. Malicious code first finds the address of the IAT inside the targeted process, the web browser in this case. Next, the malware will locate the desired functions address in the IAT and overwrite the address with one to their malicious code. At this point, the execution flow will redirect to the malware where the results can be modified before being returned back to the original function.

There are several other hooking techniques available that are outside of the scope of this blog, such as Trampolines, Inline Hooking, Detours. Two very detailed guides on more advanced methods can be read here and here.

API calls commonly hooked for web injections are listed below:

  • HttpSendRequestA
    • HttpSendRequestW
    • HttpSendRequestExA
    • HttpSendRequestExW
  • HttpEndRequestA
    • HttpEndRequestW
  • HttpQueryInfoA
  • InternetReadFile
    • InternetReadFileExA
  • InternetWriteFile
  • InternetQueryOptionA
    • InternetQueryOptionW
  • PR_Write
  • PR_Read

Due to where the API hooks are placed, the stolen data is captured before it can be encrypted and therefore SSL protected websites don't provide any protection against this method.

Configuration Files

Malware that performs MITB attacks typically also use a configuration file that contains a list of target websites they wish to modify, and what code should be injected and where. The list of target websites is often a regular expression so the attackers can cast as wide a net as possible when targeting websites. The use of separate configuration files also gives the threat actors an advantage as they can easily modify and update the targeted websites and injection content as web pages change or if they want to collect new information. Depending on the malware and the method, configuration files will differ.

Like many other malicious wares, web injections configuration files have been sold on underground forums. This provides threat actors with a predefined set of target patterns that they can easily drop into their malware, as opposed to having to create the file themselves. The configurations may also be tuned to a specific region or type of website as well, such as only targeting domains in an individual country or only targeting email providers and social media for example.

The number of targeted websites in these configuration files can be rather exhaustive, as well. In one malware family we analyzed recently, there were over 500 unique URLs contained as potential targets.

There are two common types of methods: static injections and dynamic injections. Many banking trojans use a combination of both Static and Dynamic injections and include different targets for each technique. The next two sections show examples of configuration files from the TrickBot malware family that provides for targeted URLs and additional information needed to perform the injections.

Dynamic Injections

Below is an excerpt of a dynamic web inject configuration file from the TrickBot malware, which we recently blogged about in detail, that shows what a typical config could look like:

<dinj>
<lm>*netteller.com/login2008/Authentication*</lm>
<hl>http://51.254.241[.]249/response.php</hl>
</dinj>
<dinj>
<lm>https://*.netteller.com/favicon.ico?*</lm>
<hl>http://51.254.241[.]249/response.php</hl>
</dinj>

By examining this configuration file snippet, the targeted URL patterns are seen between the tags. When a victim visits one of the targeted URLs, TrickBot will intercept the response before the browser renders it and sends the response data back to the TrickBot URL listed between the tags. The malicious hosts used in these types of injections can additionally insert content into the response that ultimately gets sent back to the victim and displayed in their browser.

Static Injections

Static injections, sometimes called Web Fakes, are a much more simple approach. While they still use the API hooking approach, instead of subtly replacing or adding content to a legitimate website, the static inject will replace a legitimate website entirely with a fake website designed to look like the original destination. The hope here is that victims' won't notice any difference and will enter credentials and other confidential information into the fake website, where the data is then immediately submitted to the threat actors.

Since this method is modifying the visual content of a website, the victims' web browser will still show the original websites URL, and any SSL certificate information will also even appear to be correct. If a user were to become suspicious and view the SSL certificate in their browser, everything would look normal.

Again from our previous TrickBot blog, the snippet below shows an example of a static injection configuration that displays the targeted websites and the malicious websites that will replace the legitimate one.

<sinj>
<mm>https://www.rbsidigital.com*</mm>
<sm>https://www.rbsidigital.com/default.aspx*</sm>
<nh>krsajxnbficgmrhtwsoezpklqvyd[.]net</nh>
<url404></url404>
<srv>31.131.27[.]144:443</srv>
</sinj>
<sinj>
<mm>https://www.bankline.rbs.com*</mm>
<sm>https://www.bankline.rbs.com/CWSLogon/logon.do*</sm>
<nh>cdsabpclzowrnyfeaukjmxsvqtid[.]net</nh>
<url404></url404>
<srv>31.131.27[.]144:443</srv>
</sinj>

Conclusion

Banking trojans and other information stealers are prevalent malware family types, and we don't predict they will be going away anytime soon. Additionally, due to the success rate of web injects we'll continue to see this method used for some time although the exact methods of API hooking will likely evolve as detection measures grow to detect them.

These threats are distributed in a variety of ways, but commonly distributed through phishing campaigns and exploit kit. One of the best defensive measures, especially for phishing emails, is user awareness. Educating users as to what suspicious emails and attachments look like and how to accurately report suspect content can do wonders in bringing down the chance of infection.

InQuest offers protection for a rather exhaustive set of malware families, exploits, and delivery vectors that can assist in defending against these attacks. For further information or to schedule a briefing, contact us.

malware-analysis banking-trojans