ESET Research 彙整

BRATISLAVA, PRAGUE – In the latest installment about Latin American banking trojans, ESET researchers take a deep look at the most impactful and advanced banking trojan we have seen in this series and in the region: Guildma. This malware is specifically targeting banking institutions and attempts to steal credentials for email accounts, e-shops and streaming services in Brazil. It affects at least 10 times as many victims as other Latin American banking trojans that ESET Research has analyzed. During its peak – a massive campaign in 2019 – ESET recorded up to 50,000 attacks per day. Guildma spreads exclusively via spam emails with malicious attachments.

In one of its latest versions, Guildma employs a new way of distributing command and control servers, abusing YouTube and Facebook profiles. However, the authors stopped using Facebook almost immediately and, at least at this time, are relying fully on YouTube.

“Guildma uses very innovative methods of execution and sophisticated attack techniques. The actual attack is orchestrated by its C&C server. This gives the authors greater flexibility to react to countermeasures implemented by the targeted banks,” explains Robert Šuman, the ESET researcher leading the team analyzing Guildma.

Guildma boasts a backdoor with multiple functionalities, including taking screenshots, capturing keystrokes, emulating keyboard and mouse, blocking shortcuts (such as disabling Alt + F4 to make it harder to get rid of fake windows it may display), downloading and executing files, and/or rebooting the machine. In addition, Guildma is very modular and currently consists of at least 10 modules. The malware uses tools already present on the machine and reuses its own techniques. “New techniques are added every once in a while, but for the most part, the developers seem to simply reuse techniques from older versions,” says Šuman.

In one of the earlier 2019 versions, Guildma added the capability to target institutions (mainly banks) outside of Brazil. Despite that, over the past 14 months, ESET has not observed any international campaigns outside Brazil. The attackers went as far as to block any downloads from non-Brazilian IP addresses.

Guildma campaigns were ramping up slowly until a massive campaign in August 2019, when ESET Research recorded up to 50,000 samples per day. This campaign went on for almost two months and accounted for more than double the amount of detections seen in the 10 months prior.

First-stage Guildma detections since July 2019

The trojan has seemingly gone through many versions during its development, but there was usually very little development between versions due to its clunky architecture.

Distribution chain of Guildma in the latest version analyzed by ESET (150)

Guildma shares several prevailing characteristics of Latin American banking trojans. For more technical details, read the blog post Guildma: The devil drives electric on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

BRATISLAVA, SAN FRANCISCO – February 26, 2020 – ESET researchers have discovered Kr00k (CVE-2019-15126), a previously unknown vulnerability in Wi-Fi chips used in many client devices, Wi-Fi access points and routers.

Kr00k is a vulnerability that causes the network communication of an affected device to be encrypted with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt wireless network packets.

The discovery of Kr00k follows previous ESET research into the Amazon Echo being vulnerable to KRACKs (Key Reinstallation Attacks). Kr00k is related to KRACK, but is also fundamentally different. During the investigation into KRACK, ESET researchers identified Kr00k as one of the causes behind the “reinstallation” of an all-zero encryption key observed in tests for KRACK attacks. Subsequent to our research, most major device manufacturers have released patches.

Kr00k is particularly dangerous because it has affected over a billion Wi-Fi enabled devices – a conservative estimate.

ESET will publicly present its research into this vulnerability for the first time on February 26 at the RSA Conference 2020.

Kr00k affects all devices with Broadcom and Cypress Wi-Fi chips that remain unpatched. These are the most common Wi-Fi chips used in today’s client devices. Wi-Fi access points and routers are also affected by the vulnerability, making even environments with patched client devices vulnerable. ESET tested and confirmed that among the vulnerable devices were client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), as well as access points by Asus and Huawei.

ESET responsibly disclosed the vulnerability to the chip manufacturers Broadcom and Cypress, who subsequently released patches. We also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to ensure that all possibly affected parties – including affected device manufacturers using the vulnerable chips, as well as other possibly affected chip manufacturers – were aware of Kr00k. According to our information, devices by major manufacturers have now been patched.

“Kr00k manifests itself after Wi-Fi disassociations – which can happen naturally, for example due to a weak Wi-Fi signal, or may be manually triggered by an attacker. If an attack is successful, several kilobytes of potentially sensitive information can be exposed,” explains Miloš Čermák, the lead ESET researcher into the Kr00k vulnerability. “By repeatedly triggering disassociations, the attacker can capture a number of network packets with potentially sensitive data,” he adds.

Figure: An active attacker can trigger disassociations to capture and decrypt data.

“To protect yourself, as a user, make sure you have updated all your Wi-Fi capable devices, including phones, tablets, laptops, IoT smart devices, and Wi-Fi access points and routers, to the latest firmware version,” advises Robert Lipovský, an ESET researcher working with the Kr00k vulnerability research team. “Of great concern is that not only client devices, but also Wi-Fi access points and routers that have been affected by Kr00k. This greatly increases the attack surface, as an adversary can decrypt data that was transmitted by a vulnerable access point, which is often beyond your control, to your device, which doesn’t have to be vulnerable.”

For more technical details about Kr00k, read the white paper Kr00k – CVE-2019-15126 Serious vulnerability deep inside your Wi-Fi encryption and blogpost on WeLiveSecurity. Make sure to check out Kr00k in depth on its dedicated landing page and follow ESET Research on Twitter for the latest news from ESET Research.