Security researchers have discovered malware that installs two drivers to control the victim’s Windows system as well as monitors the Internet activities of the victim’s Web browser.
According to a blog post by researchers at Fortinet, the malware, dubbed iTranslator, is an EXE files signed by an invalid certificate. The itranslator_02.exe file is also known as "itransppa.exe", "itranslator20041_se.exe", "Setup.exe", and "itransVes.exe".
The malware creates a new folder named "itranslator" in the program-data folder. It then extracts a new file named "wintrans.exe" into this folder. The "wintrans.exe" executable takes over the work of the "itranslator_02.exe" by downloading and installing additional malicious components into the victim’s Windows system. It starts by installing a driver in the victim’s system.
It then creates a thread which calls two Windows system APIs to create a driver service, which are "OpenSCManagerA", "CreateServiceA". The driver name is "iTranslatorSvc", which is a parameter to the API call "CreateServiceA".
Wintrans.exe then extracts a file named "iTranslator" into the Windows Directory.This is protected with a VMProtect packer. This is signed with an invalid certificate that expired in 2015. The malware then call the API "StartServiceA" to run a malicious driver.
Researchers said the last job of "wintrans.exe" is to send the victim’s system information to the attacker’s server.
Xiaopeng Zhang, a security researcher at Fortinet, said that from analysis all of the extracted files serve as a Man-in-the-Middle Attack on the victim’s system.
He said the file "iNetfilterSvc" is another driver, whose name is "NetfilterSvc". It’s actually an instance of a commercial project called NetFilter SDK. It is a framework for transparently filtering the data packets transmitted via the network on Windows. The extracted "Sample CA 2.cer" is the root certificate that will be installed into Firefox and into Windows system for both IE and Chrome as their trusted Root Certification Authorities.
"This is necessary to perform Man-in-the-Middle attack secretly. This way, all certificates for SSL protected communication from victim’s browsers are instead certificates signed by "Sample CA 2.cer". In this way, the browser won’t warn the user since "Sample CA 2.cer" is in the trusted Root Certificate Authorities list," he said.
To delete the malware, users should retart the system in safe mode and delete a number of files and folders, including "%WINDIR%\iTranslator", folders "%WINDIR%\nss", "%WINDIR%\SSL". More details can be found on the blog.
Kevin Bocek, chief security strategist at Venafi, told SC Media UK that one of the most important steps in stopping MitM attacks is for organisations to gain control over all certificates on their network.
"Security teams need access to the right tools to enable discovery and automated responses to anomalous behaviour. This allows organisations to find and evaluate all certificates on their network to make sure they are secure and automatically remove any that have been compromised," he said.
Sean Sullivan, security advisor from F-Secure, told SC Media UK that the best way to avoid threats such as these is to educate employees on where to download software from and to provide intranet resources for trusted applications.
"When in doubt, an employee should contact IT before downloading anything. Also, good endpoint protection is a must, considering that people won’t always contact IT," he said.