Full Report
Last month, we presented “The Evolution of Webinject” in Seattle at the 24th Virus Bulletin conference. This blog post will go over its key findings and provide links to the various material that has been released in the last few weeks.
Analysis Summary
# Tool/Technique: Webinject Kits (ATSEngine and Injeria Platform)
## Overview
Webinjects are mechanisms used by Man-in-the-Browser (MitB) banking trojans to alter the content of a webpage viewed by a user on an infected computer. This is typically achieved by injecting malicious code, often JavaScript, into the browser session to interact with the website content, leading to phishing, data theft, or automated fraudulent transactions. The article discusses the evolution and commoditization of these webinjects, highlighting two specific popular kits: ATSEngine and Injeria platform.
## Technical Details
- Type: Technique/Framework components (ATSEngine and Injeria are specific kits/platforms for creating webinjects)
- Platform: Primarily aims at web browsers (Windows/desktop targets are implied by the context of traditional banking trojans, but Android components are mentioned for advanced versions).
- Capabilities: Altering displayed web content, stealing personal information via injected forms, automating fraudulent transfers, evading two-factor authentication.
- First Seen: The context suggests the technique is old, but the popular kits' evolution was being discussed around October 2014 (linking to a VB2014 presentation).
## MITRE ATT&CK Mapping
*Note: Since these are injection frameworks for MitB trojans, the primary mapping relates to the interaction with the browser process.*
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0007 - Credential Access**
- T1003 - OS Credential Dumping (If the intent is to capture login data during injection)
- **TA0010 - Impact** (Indirectly, by enabling financial fraud)
- T1566 - Phishing/Social Engineering (If used to create convincing phishing forms)
- **TA0011 - Persistence** (If the configuration file storing the webinject affects future sessions)
## Functionality
### Core Capabilities
- **Content Modification:** Injecting malicious scripts (like JavaScript) into legitimate banking websites viewed by the victim.
- **Data Harvesting:** Creating extra form fields on bank websites to trick users into inputting sensitive information (e.g., card numbers, PINs).
- **Transaction Automation:** Complex scripts designed to automatically initiate fraudulent transfers from the victim's account to mule accounts.
### Advanced Features
- **Bundling Android Malware:** Some contemporary versions of the inject packages include components for Android devices.
- **Administrative Panels:** Inclusion of an administration panel for the sellers/customers of these kits.
- **2FA Evasion:** Sophisticated components designed to bypass or circumvent established bank two-factor authentication systems.
## Indicators of Compromise
*Note: The article focuses on the framework/kit philosophy rather than specific current IOCs for a single malware campaign. No specific IOCs were provided in the summary text.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (These kits leverage the structure of legitimate banking sites).
- Behavioral Indicators: Unapproved modification of browser content in memory or post-load state; attempts to collect structured data via injected forms.
## Associated Threat Actors
- Cybercriminals selling and utilizing commoditized banking trojans.
- Groups using banking trojans employing Man-in-the-Browser (MitB) capabilities.
- Specific malware families known to use these kits (mentioned as 7 different families observed using ATSEngine or Injeria).
## Detection Methods
*Note: Detection focuses on the behavior of the underlying banking trojans utilizing these kits.*
- Signature-based detection: Signatures for the specific webinject configuration files if they follow known patterns of ATSEngine or Injeria.
- Behavioral detection: Monitoring for browser process memory manipulation or unexpected script execution leading to data submission to unintended hosts.
- YARA rules: Specific rules could target unique scripts or configuration structures associated with the commercialized kits.
## Mitigation Strategies
- **Strong Anti-Malware/Endpoint Protection:** Robust protection capable of detecting and blocking MitB trojans.
- **Browser Hardening:** Using modern, updated browsers, avoiding outdated plugins, and employing browser protection extensions.
- **Security Awareness Training:** Educating users about suspicious form fields appearing on known secure banking sites.
- **MFA Enforcement:** Ensuring that even if credentials are stolen, multi-factor authentication remains robust and is not bypassed by sophisticated webinjects.
## Related Tools/Techniques
- Man-in-the-Browser (MitB) Banking Trojans (e.g., Zeus, Citadel successors).
- Generic Web Inject technology.