Into the Mind of a RAT operator
Both Dyre and Dridex Trojans now use a combination of local redirection and RAT to effectively escape detection by current anti-fraud and security tools, but Uri Rivner says real-time behaviour analysis can still spot the bad guys.
Uri River, VP of business development and cyber strategy, BioCatch
Captain Kirk's Secret Mission
Captain Kirk was acting strangely. First, he snapped at everyone aboard the Enterprise Bridge, and then gave a direct order to enter the Neutral Zone, an open act of war. Soon, the ship was surrounded by angry Romulan spacecrafts. The same thought passed through every crewmember's head - Kirk has finally gone mad. Refusing shore leave time after time had finally taken its toll...
The reason for the madness? In this specific episode of Star Trek's third season, Captain Kirk was actually working under secret orders to capture and bring back a highly classified piece of technology: the Cloaking Device.
The Romulans were not the only ones with this super-stealthy capability designed to make an entire spaceship invisible. The Klingons had it too. In fact, it seemed like everyone except the good guys were able to effectively hide their fighting force.
What does all of this have to do with cyber-security?
This is the exact Dyre situation (pun intended) banks worldwide are facing today. Cyber-criminals are effectively using a perfect cloaking device that makes them completely invisible to the most sophisticated anti-fraud and anti-malware tools by using a Remote Administration Tool, or RAT.
RATs are essentially the same tool a Helpdesk uses to support remote users whose PC needs attention. When used for a helpdesk, users are fully aware of being controlled remotely, and can monitor movements, such as the mouse moving on its own. But victims of the infamous Dyre Trojan, the most sinister piece of malware this side of the galaxy, see absolutely nothing. Even bank security teams trying to catch Dyre operators are failing.
Dyre itself, operated by a highly sophisticated cyber-gang, is quite advanced, and is dubbed by many malware researchers as the most dangerous Trojan ever created. But it's the use of VNC, a decades-old remote administration capability, which makes it totally undetectable.
To conduct a fraudulent online banking money transfer, Trojan operators need to defeat two main lines of defence. The first is dynamic malware detection, a sort of radar that detects unwarranted code injections into the browser. Most banks have this server-side defence in place, as it's highly effective against attacks such as Man in the Browser (MITB), in which the Trojan waits until you log in, and then automatically transfers money from your account. It's also effective against manipulations, such as injecting new fields, presenting fake pages, and anything else that changes the user interface to trick users into providing challenge-response information, such as one-time passwords and transaction authorisation codes.
Dyre avoids all of this by locally directing the user to a spoofed website where they are asked to provide that information. The site is under the Operator's control, and can't be seen by the malware defence layer leaving the user totally exposed and communicating directly with the bad guys. The data collected is then used by the fraudster to set up a payment, sometimes immediately, depending on the specific controls used by the bank.
The money transfer, however, becomes a bit tricky because of a second line of defence that all banks deploy, device recognition. Originally developed to stop Phishing and simple credentials-stealing Trojans, device recognition tells the bank this money transfer is coming from a new device. Couple that with the fact the transfer goes to a new destination, and you've got a highly suspicious transaction.
The Dyre operators know that if they use their own device to make the money transfer, chances are it will be spotted as anomalous. And if they try to automate the transfer, the dynamic malware detection will catch them.
Enter cloaking device
First, fraudsters turn off all active malware components, making sure the Trojan can't be tricked into revealing itself. Then, using the information they've gathered from the victim, they use VNC to remotely operate the user's legitimate device. Practically, it means that they control the victim's mouse and keyboard interfaces - whatever they do on their machine is recorded as something done locally on the victim's device, exactly like a remote helpdesk scenario. The only thing the bank can see is a session coming from the regular user's PC, no automated scripts or code injections. The Dyre operator is able to remain completely invisible to both device recognition and malware detection.
Many banks hit by Dyre believe their existing malware detection tool can't detect the Trojan because it's more stealthy and advanced than regular Trojans. However, it's the clever combination of two stealth factors - local redirection and RAT – that make it so effective.
Meet the Dyre Operator
However, just like in Star Trek, the good guys are hardly sitting idle. Banks in the UK and US are now tracking Dyre operators using a novel behind-the-scenes behavioural biometric technology that can analyse the user's behaviour throughout the entire session, spot anomalous interaction patterns that are not in line with regular user habits, and reveal remotely controlled sessions in real-time.
One of these banks, a Top five UK retail bank, experienced a wave of Dyre attacks last June. The attack came in two phases; in the first phase the attacker waited until the user logged in, and then directed the user to a spoofed site where he was given instructions that caused a brief distraction. The fraudster used this time to ‘ride' the open session and change the user's phone on record, so that later he could go to the victim's account and make a money transfer since the bank used an out of band authentication that was directed to the fraudster's phone.
Many banks have a mandatory cool-off period after a change of phone number so that fraudsters can't immediately make a money transfer. Instead, fraudsters wait for an average of 1.5 weeks, and then put on the cloaking device, deactivate all malware components, and use the VNC back-connect capability to take over the user's device. They then log in with the static stolen credentials from the first session, and transfer thousands of pounds from the account. Fraudsters are able to easily pass the out-of-band authentication because the bank directs it to the fraudster's phone.
The Dyre operators staged many additional attacks in June, using the exact same method each time. The bank's device recognition layer continued to report all was well, since the money transfer appeared to come from a legitimate device. Additionally, the malware detection tool did not spot anything unusual because a RAT, which is a standard operating system level capability and not a browser manipulation, was used.
Analysing the individual attacks, second by second is where things got really interesting.
All of the attacks used a RAT capability, which could be spotted by the bank by analysing subtle distortions in the user's hand-eye coordination. Also, it appears that a specific Dyre operator, a single human being, was behind a large number of attacks. That person acted in a highly distinct manner, moving between fields in a certain way, using certain shortcuts that are uncommon, and as the analysis of hundreds of behavioural and cognitive parameters showed, left a very unique digital fingerprint in all of the fraud sessions.
The bank's fraud team found this particular discovery very interesting. All of the fraud cases came from different devices, different IP addresses, and different destination accounts; there was nothing that could link all of them to a single criminal. But this new analysis shed light on the fact that all of these attacks were conducted by the same person.
The Dawn of a New Era
Dyre is not the only RAT using Trojan out there. Dridex has been hitting many banks as well.
One of the largest commercial UK banks was plagued with Dridex throughout 2015. In this case, the mode of operation was a bit different. The Dridex operators first displayed a fake page that asked for a specific smart card reader, and based on the answer, showed a series of social engineering instructions to provide a one-time code. The attacker couldn't just use his own computer to commit the actual fraud, so he used a VNC based RAT capability to piggyback the session and send money from the victim's device, thus defeating the hardware token.
After a Dridex related arrest, things got quiet for a while but several months later, Dridex returned with a vengeance. Now, it's staging a massive campaign against UK targets, and some banks report that it uses the same local redirection technique as Dyre. This means that like Dyre, Dridex now has the perfect cloaking device, making it invisible to both device recognition and malware detection. While Dyre may have pioneered this approach, it's now out there for all cyber-criminals to adopt. With time, Trojans that do not offer this stealth combo will be out of business.
Putting up a good fight
The first Trojan attacks simply grabbed user credentials so fraudsters could log in later from their computer, finally being remedied with device recognition. The next wave of attacks included sophisticated automated scripts and code injections that would steal dynamic data and even send money without any human intervention, eventually being solved by dynamic malware detection.
It's now the dawn of a Third Era: Trojans with perfect cloaking devices use a combination of local redirection and RAT to effectively escape detection by current anti-fraud and security tools. Banks must continue to put up a good fight and introduce new means to analyse user behaviours in real time, and catch the fraudsters in the act by detecting the unique characteristics and behaviours of the Trojan operators.
Contributed by Uri River, VP of business development and cyber strategy, BioCatch