Currently this malware family is targeting only a few European countries, but it’s very likely that the authors have plans to make this a prevalent and more widespread threat as they continue to develop and improve both the binary code as well as their backend systems.
Our friends at ESET (http://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/) was the first to spot this malware and dubbed it: “Hesperbot”. We assume the name was chosen because of a string/reference found inside the binary dropper: “hesperus_core_entry”. We have decided to name it: “Hesperbanker”.
In Greek mythology, Hesperus is the Evening Star, the planet Venus in the evening (http://en.wikipedia.org/wiki/Hesperus). Does that ring a bell? Some clues: ZeuS and Hermes … The code is distributed as both x86 and x64, win32 binaries as well as components for several smartphones.
Targeted countries based on campaign-IDs:
The current countries being targeted include Turkey, Portugal, Germany and the Czech Republic. Again in the same manner as other crimekits the different countries are marked with a campaign-IDs e.g. “tr-botnet”, “pt-botnet” etc.
Plugins/modules
First of all the code makes use of several anti- debugging and sandbox tricks. It consists of a dropper and a main component along with several plugins. We have been able to find plugins/modules which could be used to circumvent various 2FA mechanisms. This includes VNC, video/movie recorder, screen capture and a keylogger.
Targeted brands
Currently the following targets are specified in the config file:
Germany
postbank.de
Portugal
bpinet.pt
cgd.pt
millenniumbcp.pt
santandertotta.pt
Turkey
akbank.com
denizbank.com
finansbank.com.tr
garanti.com.tr
kuveytturk.com.tr
teb.com.tr
vakifbank.com.tr
yapikredi.com.tr
ziraatbank.com.tr
Czech Republic
ba-ca.com
business24.cz
csob.cz
cz.unicreditbanking.net
mojebanka.cz
netbanka.cz
rb.cz
sberbankcz.cz
servis24.cz
uctrader.unicreditgroup.eu
Based on the geographical targeted campaigns we have created a small infection map to illustrate where Hesperbanker have zombies in their control. This correspond perfectly with the target list.
Approx. 7.000-8.000 Windows based PCs are zombies and tied into the Hesperbanker BOTnet. They constantly leak sensitive data to the perps and furthermore opens up a gateway for fraudulent and unautorized online banking transactions.
We have several times tried to dismantle the central C&C server domains which are served by ENOM/Namecheap and hosted at the bullet proof facilities of Hostland ltd. in Saint-Petersburg. In fact a lot of bad stuff is hosted in this netblock: 185.26.120.0 – 185.26.121.255.