Trend Micro Researchers Uncover SpyEye Operation

Written by: Bernadette Irinco

What happened on this attack and who were affected?

Trend Micro researchers recently uncovered a cybercriminal operation involving SpyEye that began as early as January 2011. The said operation was orchestrated by “Soldier” (the cybercriminal’s handle), who is currently based in Russia. Trend Micro researchers had been monitoring Soldier and his activities since March 2011.�

Based on investigation, this attack mainly targeted US users and some of those affected were large enterprises and institutions such as the US government and military. In fact, 97% of the affected corporations are based in the US. However, we have also observed affected organizations located in other countries such as the United Kingdom, Mexico, Canada, and India.

The SpyEye variant used in this attack is detected by Trend Micro as TSPY_SPYEYE.EXEI.

How much money was stolen?

According to Trend Micro research, the cybercriminal behind this attack was able to get more than $3.2 million dollars, or $17,000 per day, in the last 6 months with the help of accomplices and money mules. Money mules were recruited to transfer the money to the cybercriminals.�

To launder the money, �the stolen money is passed by the cybercriminal to the accomplices situated in various locations then to the money mules and finally back to the cybercriminal. This is done so the cybercriminal won’t be easily track down by security researchers and law enforcement.�

�Figure 1. How money is laundered

Once a system is infected, what does TSPY_SPYEYE.EXEI do?

Once installed, TSPY_SPYEYE.EXEI downloads a configuration file, which contains the websites that it monitors. Once users visit any of these monitored sites, it performs web injection and logs keystrokes to steal information from users. �It also connects to specific URLs to send and receive information from a remote user. Once connected to these sites, it sends specific information such as operating system information, Internet Explorer (IE) version, account type, language ID, time zone etc.�

What is SpyEye and how can I encounter this?

SpyEye is a commercially-sold toolkit which first emerged in 2009. Users may encounter SpyEye variants via various infection vectors such as blackhat search engine optimization (SEO), spam, and other malware to infect users’s systems. Its main routine is information, identity, and financial theft.�

Trend Micro detects the binary files generated by SpyEye as TSPY_SPYEYE variants. When SpyEye first came out in the wild, it is thought of as the rival of another prevalent crimeware toolkit, ZeuS.�

How do SpyEye malware steal information?

SpyEye downloads a configuration file on the infected systems. This configuration file contains the list of monitored websites. When users accessed any of the monitored websites, SpyEye performs Web injection to steal the data inputted by the users. It is also capable of capturing screenshots from the infected systems.�

Figure 2. How web injection works

What is a web injection and how does it work?

In Web injection, SpyEye injects HTML code into the webpage to add form fields of other data that the cybercriminals want to steal. In the instance that users visit one of the monitored web sites, they would see an additional field(s) in the said site, asking for specific information other than logon credentials such as ATM or credit card number, email address, etc.

Figure 3. Screenshot of clean site vs. site with web injection

What kind of information do SpyEye variants steal?

Although SpyEye steals banking credentials, it is capable of stealing credentials �related to different websites, such as Facebook, Twitter, Yahoo!, Google, eBay, and Amazon.�It also gathers system information such as installed operating system, Internet Explorer version, timezone, and others. Furthermore, it is capable of capturing screenshots. This routine enables SpyEye to bypass authentication means and to gather data apart from online banking information. The stolen data are either used for other fraudulent activities or sold in the underground.

Why should I be concerned about SpyEye?

As an information stealer, SpyEye variants steal logon credentials and used this to initiate unauthorized transactions, such as an online fund transfer. Because of the web injection routine, users are also at risk of unwittingly giving out sensitive information, which are sold to the underground market and used for malicious purposes. In addition, SpyEye remains to be one of the prevalent malware to date. It can be sold commercially making it available to anyone who intends to steal information and hard-earned money of users.�

SpyEye is known for targeting consumers, as well as small and medium businesses. However, large organizations are affected in this particular attack. It is possible that employees of large enterprises accessed their online bank accounts, and may have engaged in other online activities while using the work/business network, thus compromising its security. Furthermore, the stolen information from these large enterprises may be used to stage targeted attacks.�

Are Trend Micro users protected from this attack?

Yes. Trend Micro provides a multi-layered protection via Trend Micro™ Smart Protection Network™. Web reputation technology blocks all the malicious URLs where SpyEye variants may be downloaded. It also prevents access to all the URLs where the malware may download its configuration files.�

File Reputation Service detects and deletes all known SpyEye variants found on the affected system. For SpyEye variants that arrive via spam messages, the Email reputation service promptly blocks such messages even before they arrive on users' inboxes.

Trend Micro’s Threat Discovery Appliance (TDA) also protects users' networks by blocking malicious packets, such as C&C communication and upload of stolen information.
Home users can use Trend Micro’s HouseCall to scan and clean systems infected with malware components related to this attack. Similarly, Trend Micro’s Genericlean detects and cleans the malware components.�

Users are advised to be wary of divulging any personal information online. It is also best not to access online bank accounts using a work network.�For businesses, we recommend the use of various security layers such as firewall, gateway, messaging, network, server, endpoint, and mobile security for optimal protection against attacks like this.

As of this writing, Trend Micro researchers and analysts are collaborating with law enforcement agencies regarding the blocking of identified command and control servers related to SpyEye.