27,024,307
LdPinch is patching malware, with kernel abilities. The variant analyzed here installs a kernel driver (C:\Windows\system32\java2.sys). At the kernel, it hooks several SSDT functions. These hooks are used to inject a DLL (C:\Windows\system32\snjava.dll) into userspace processes (such as Internet Explorer) as well as to hide its own files. When injected into Internet Explorer, the DLL hooks several WinInet functions (now in userspace) in order to monitor and manipulate browser traffic. This way, LdPinch is able to intercept every POST request the user makes. Also, it modifies HTML pages from targeted bank websites, so that they request for more information. The spoofed pages are available to LdPinch through a configuration file. The variant inspected contained pages for the following domains:
- co-operativebank.co.uk
- halifax-online.co.uk
- hsbc.com
- hsbc.co.uk
- lloydstsb.co.uk
- nationet.com
- nwolb.com
- smile.co.uk
- barclays.co.uk
POST requests are collected (including the POST request data, which typically contains user credentials, the Window title, the current page, and the submission target) and are sent immediately to a C&C server through HTTP requests.
Additional functionality (non-browser related) includes hosting an open HTTP proxy and an open SOCKS proxy.
Analysis is based on a file whose MD5 signature is 0c894cb5f07b612fb85079b3821f9b8c.
