This article was written in collaboration with my colleague Jean-Ian Boutin.

The Wigon botnet (also known as Cutwail) is being used in a massive spam campaign. A multitude of ruses are used to get the user to click on a link: fake LinkedIn or Facebook notifications, free Windows licenses, fake deliveries etc. The links are pointing to the Blackhole exploit kit which attempts to install malware on the computer via unpatched security flaws. The kit attempts to use the recently added exploit CVE-2011-3544 for Java. A lot of systems have not yet been patched for this vulnerability leaving them at risk of being compromised; screenshots of Blackhole panels published by french malware researchers Xylitol and Malekal show that this vulnerability account for over 80% of the succesful infections.

The following screenshot shows a part of the decompiled code of the Java applet used by Blackhole which is exploiting the flaw.

One of the file dropped through this spam campaign is a SpyEye sample detected as Win32/Spy.SpyEye Trojan by ESET. This banking trojan was configured to steal banking information from clients of BAWAG PSK, the fourth largest bank in Austria. Once a computer is infected, the malware has the ability to change the webpages content seen by the user when visiting BAWAG eBanking services. The following screenshots show that the phishing warning as well as the bank contact information is removed from the login page by the malware .

Once the user logs in, his personal information is stored and sent to the C&C server. According to the SpyEye tracker, the C&C server used by this sample is still online and is hosted in Azerbaijan.

An obfuscated JavaScript is inserted in the eBanking webpage and is used to transfer money from the user account to the cybercriminal account. This script has also the ability to hide operations that were done on the user account by modifying the content of the account balance and transfer history. The following screenshot shows a code snippet used to modify the account balance in order to hide a transfer that has already occurred.

Finally, here is a screenshot showing the code used to send status information when a successful transfer occurs.

BAWAG PSK has been notified of this targeted attack. As always we advise our readers not to click links in spam or suspicious messages and to keep their installed software and antivirus up to date.

SpyEye sample MD5 Hash : 4c5698ea403be8300d26dbc6bb16f302