TSPY_TOXIFBNKR.A

This malware is involved in the global financial network transfer system Swift hacking incident of April-May 2016. It has certain routines that are tailored to take advantage of the SWIFT messaging network in order to steal funds.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This spyware requires the following additional components to properly run:

• %Temp%\WRTU\ldksetup.tmp <- log file of malware's activity
• %Temp%\WRTU\LMutilps32.dat <- configuration file
• fpdfsdk.dll <- DLL required to convert PDF to XML and vice versa

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It does the following:

• Modifies bank transactions that use SWIFT Messaging in PDF format
  • Triggers when opening a PDF file
    • Reads PDF and converts it to XML then saves to a temporary file
    • Reads the XML file and parses it to look for the following strings:
      • ": Statement Line"
      • "Closing Balance (Booked Funds)"
      • "POS_TEMP"
      • "Opening Balance"
      • "Sender"
      • ": Debit"
      • ": Credit"
      • " Debit"
      • " Credit"
      • "POS_PAGE_START"
      • ": Closing Avail Bal (Avail Funds)"
      • "Message Trailer"
      • "Message Text"
      • "Message Header"
      • "Instance Type and Transmission"
      • "pagecount"
      • ": FIN 950" <- SWIFT statement message indicator
    • Modify the XML file based on the configuration file
    • Converts the modified XML file to PDF then replaces the original PDF file
    • Opens modified PDF file with the legitimate Foxit Reader for the user to see
• Deletes traces of the malware's activities when modification fails
  • Executes mspdclr.exe with the PDF file as parameter
  • Deletes the original SWIFT message (in PDF format) file from the logs in the following paths:
    • {LOG_PATH}\{SWIFT Code of Bank}{PrtIn/PrtOut}\{SWIFT Message File name}
    • {LOG_PATH}\{SWIFT Code of Bank}{PrtIn/PrtOut}\{Year}\{Month}\{Day}\{SWIFT Message File name}
      • Where:
        LOG_PATH - path of the log files, retrieved from the config file
        SWIFT Message File Name - PDF file that failed to be modified/loaded
  • Execute SQL commands to delete database logs
    • The SQL command is executed using the following format:
      sqlcmd.exe -S "{SQL_SERVER_PORT}" -E -Q "set nocount on;SQL_QUERY" -h -1 -W -o "OUTPUT_FILE"
    • Where:
      SQL_SERVER_PORT - SQL server protocol retrieved from config file
      OUTPUT_FILE - file to receive output from executed SQL command
      SQL_QUERY - hardcoded SQL queries
• Logs its activities in %Temp%\WRTU\ldksetup.tmp

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

NOTES:

This malware must be set to be the default application to handle PDF files or was manually selected by the user to open a PDF file for it to proceed with its malicious routine. Either it is manually registered by the user thinking it is the legitimate Foxit Reader or it has a dropper that registers it as part of its routine.