We recently identified a little known Windows malware platform that has been in circulation for some time, but was never previously recognized for its financial fraud capabilities. We named it Sunspot.
It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real. Sunspot is another example of the growing list of financial malware that is flooding the Internet. In addition to Sunspot, Trusteer alone also has discovered several malware platforms over the past 18 months including Silon, OddJob and several others.
Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts. Once installed, it targets Internet Explorer and Firefox browsers. This is a very modern malware platform with sophisticated fraud capabilities. Equally concerning, the detection rate for Sunspot by leading anti-virus programs is painfully low. According to a Virus Total analysis, only nine of 42 anti-virus programs tested, or 21%, currently detect Sunspot.
It can carry out man-in-the-browser attacks including web injections, page grabbing, key-logging and screen shooting (which captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard). We were able to decrypt and analyze its configuration, which includes instructions to execute the following fraud focused actions:
- “Grab” account balance figures, last login date etc
- Request additional online banking details from the user (such as full security PIN/password, Answers to secret questions)
- Request payment card information (card number, ATM PIN, CVV, expiration date)
- Request personal information (driver license, mother maiden name, date of birth)
- Take screenshots of the mouse vicinity as the user types his/her password on a virtual keyboard (Screen Shooting)
We traced the Sunspot Command and Control Server (C&C) hostname to a domain registered in Russia. Once installed, Sunspot is started either by "rundll32.exe" via HKCU\Software\Microsoft\Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox). Inside the browser it hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging.
Sunspot is interesting for two reasons. First, it reveals a new approach to financial malware development. Unlike purpose built financial fraud platforms like Zeus, SpyEye, Bugat, and others, it appears Sunspot was not originally developed as crime ware. If this is the case, we could be witnessing a sea change in malware development where general purpose and little know malware platforms are re-programmed to carry out financial fraud. This will make it even more difficult to defend against attacks since banks will be ambushed by a growing number of unique financial malware platforms.
Second, Sunspot illustrates an increasing emphasis by crime ware authors on payment card theft. We are seeing more and more malware asking victims for their credit and debit card information together with additional identifiable information. This allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer. We believe that a significant percentage of fraudulent card not present transactions today originate from malware.
The take away for financial institutions from Sunspot remains the same. A layered security approach that combines server-side and client-side zero day attack protection is the most effective way to protect users against crime ware, since anti-virus programs are lagging way behind in their ability to detect these programs.