The new Mezzo malware is targeting real and cryptocurrencies. Information collection module
Kaspersky Lab experts have discovered a new financial threat - malware Mezzo, capable of replacing details in exchange files between accounting and banking systems. At the moment, the malware simply sends information collected from the infected computer to the server to the attackers, and, according to analysts, this may indicate that the creators of the Trojan are preparing for a future campaign. The number of victims of Mezzo is still only a few, with the majority of infections recorded in Russia.
Mezzo is distributed using third-party downloaders. After reaching the device, the Trojan creates a unique identifier for the infected computer; based on it, a folder is created on the attackers’ server to store all files found on the victim. Each of these folders is password protected.
The main interest for Mezzo is text files popular accounting software created less than two minutes ago. The functionality of the Trojan assumes that after detecting such documents, it waits to see if a dialog box will open for the exchange of information between the accounting system and the bank. If this happens, the malware can replace the account details in the file immediately at the time of data transfer. Otherwise (if the dialog never opens), Mezzo replaces the entire file with a fake one.
In addition, analysis of the Mezzo code showed that the malware may be related to another high-profile Trojan that hunts for cryptocurrencies, CryptoShuffler. Kaspersky Lab experts found that the code of Mezzo and the AlinaBot program that downloads CryptoShuffler are identical almost to the last line. Apparently, the same virus writers are behind both malware, which means their interest may also affect users’ crypto wallets.
“This is not the first time we have encountered malware attacking accounting software. Thus, with the help of a similar TwoBee Trojan that we discovered about a year ago, attackers managed to steal more than 200 million rubles from Russian organizations,” recalls Sergey Yunakovsky, an antivirus expert at Kaspersky Lab. “However, Mezzo is different from its “brother.” On the one hand, it uses a simpler algorithm for searching and checking files of interest. But it is likely that it is not limited to accounting systems alone. And this is very much in the spirit of modern virus writers, who are increasingly implementing many modules and various functions within a single malware.”
You can learn more about the capabilities of the Mezzo Trojan from the Kaspersky Lab analytical report:
This is not the first time that Kaspersky Lab analysts have encountered attacks on accounting programs - for example, about a year ago we encountered the Trojan.Win32.TwoBee malware. In general, the attack on the accounting system was reduced to the substitution of details in the data downloaded from the database for banking systems. As a result, amounts of money go to other people's accounts without the knowledge of the owner. At the beginning of its “career,” the TwoBee Trojan received data to replace details from the outside, and later “carried” it with itself, sending only short messages to the server with information about the results of its work.
As for the Mezzo Trojan, which we want to look at, it simply sends text files to the server without performing any manipulations with them. However, this does not mean that there is no threat - on the contrary, it may indicate that the authors of the malware are preparing to future company and are currently at the stage of collecting information about goals.
Let's take a closer look at some of the features of this Trojan. To do this, we'll look at two modifications of Mezzo - one is designed exclusively for collecting information about existing accounting files, while the second is capable of replacing them.
A characteristic feature of both is the creation of an easily recognizable mutex at the start:
Information collection module
Once Mezzo starts working, it creates a unique identifier for the infected computer:
This identifier is used as the name of the folder where information about the found files will be stored:
The contents of the archive are as follows:
The archive itself is protected by a password (the previously created identifier, which is also the name of the archive, is used in this capacity). Unlike TwoBee, Mezzo uses a simpler algorithm to search and scan files. For example, TwoBee carried out data substitution only if there was a certain minimum transaction amount:
Checking the minimum amount (500,000 ₽) in TwoBee
In addition, TwoBee collected data on the amounts transferred.
Mezzo simply verifies the “age” of the file (should not be older than a week) and the presence of the line 1CClientBankExchange at its beginning:
Upon completion of the search, the data is packed into an archive with a password and sent to the server.
Sending data
Structure of a request and response from the Mezzo C&C server
Substitution module
Now let's figure out how the Mezzo module works, the task of which is to replace accounting program files.
The Trojan creates three threads of execution. First ( trash_thread in the screenshot below) is responsible for counteracting security software - the Trojan allocates huge memory regions in a loop and fills them with arbitrary data: in the “sandboxes” of some security solutions, the processing of memory allocation and control of its leaks differs from the “real” mechanisms operating systems and such requests may disrupt their work. The second registers the “freshly infected” computer on command server. The third is necessary to poll the C&C server and transmit information about the infected system.
Beginning of the main Mezzo procedure
Technology implemented in trash _thread
Mezzo creates a unique ID and sends it to the server. In the case when a command with code 0x46 is received from the server ( F irst ) , information about the infected system is transmitted. Obviously, this command is obtained the first time you access such an identifier.
Procedure get_tasks will delete the contents of the %TEMP% folder when receiving code 0x34 ( 4 ).
After this, the Trojan will begin searching in each of the logical partitions file system files that meet the following criteria:
- Created less than two minutes ago;
- At the beginning of the file there is a line 1CClientBankExchange;
- Extension - .txt.
The resulting file is copied to the address “%TEMP%\
Search Dialog Box
This is necessary to replace the file immediately at the time of data transfer from the accounting system to the bank. The wait lasts five minutes, and if the required window is not open, the Trojan will simply replace the file with a fake one, after first trying to stop the process 1cv8c.exe by using SuspendThread. Once the substitution is complete, the Trojan will delete the contents of the folder NEW with the file received from the command and control server.
Traces of CryptoShuffler
However, the investigation did not end there. Some time ago, our analysts and the malware that downloaded it into the system. It turned out to be AlinaBot (not to be confused with AlinaPOS), so named because of the title in the C&C server authentication window:
In many ways, this common downloader (we'll look at its features next) is related to Mezzo.
First, let's go through the “weak” connections:
Now about the “strong” evidence. The first is a way to generate a unique identifier. The restored code of Mezzo, AlinaBot and its modules matches down to the last line:
The second evidence is the fact that AlinaBot modules store stolen data in a similar way (except that an identifier is not always used as a password):
AlinaBot module working directory structure
Even a superficial examination of the code reveals the style of the author of Mezzo - diligently copying a large number of code fragments.
AlinaBot functions
There are a total of six commands from the server (and “0” indicating no command), which AlinaBot receives in response to the initialization request as a string of characters:
It is important that the commands are processed “two at a time” - in this case there will be two cycles of checking the input values. Accordingly, the units at the even position in the line and at the odd one will differ in their purpose. For example, command “2” at an odd position uploads a file to a fixed address, while at an even position it receives a download link.
Team F (even) denotes a request to download system information and includes the following fields:
- Unique identifier;
- Operating system version;
- Username;
- Computer name;
- Computer IP address.
Team 1(odd) uploads a file to the address of the form
Team 1(even) restarts the main body of AlinaBot.
Team 2(odd) also downloads files from the C&C server like the command 1,
however on another line
2(even) receives from the server the address from which the file needs to be downloaded, and then downloads and runs it.
Typically, this command was used to download malware from the Trojan-Banker.Win32.CryptoShuffler family
Team 3(even) terminates execution of the console application host.
Payload
We were able to obtain the uploaded files; they can be divided into two types. The first one “hijacks” cryptocurrency wallets and browser passwords. The theft of wallets is accomplished by simply searching the infected system for files named wallet.dat. Losing passwords only affects users of Chrome and Opera; both browsers store account data in a similar way - in the form of SQLLite databases at an address like " C:\Users\<ИМЯ ПОЛЬЗОВАТЕЛЯ>\AppData\Local\Google\Chrome\User Data\Default". The plugin opens these files using the SQLLite library and tries to decrypt the data using a “blank password”, in case the user has not specified a password for authentication. The malware sends the received data to the server in a ZIP archive with a password 1 q 2w 3e 4r .
Recovered code for extracting password data from Chrome
Files are “stored” in a similar manner to Mezzo.
One last noteworthy thing about this module: the author moved away from using curl and borrowed the code of a certain Anasazi: characteristic line WARPCRYPT present in both cases. Plus, we discovered the Anasazi source code on pastebin.
Comparison of the restored code of the AlinaBOT module and the Anasazi source code on Pastebin
The second uploaded file has the ability to remotely control the infected computer. This module itself is not of particular interest, being a fairly ordinary backdoor that executes, for example, the following commands:
- 0x403: Start task manager
- 0x406: Terminate Chrome process
- 0x40F: Launch command line
- 0x413: Buffer certain data and send it to the specified window
MD 5
Information collection module:
Replacement module: 1083439FAE49A745F007705281952CD9
AlinaBot
E2E7927C279C3740EA9821595FA2AA23
Experts have recorded that the victims of the malware are still few in number, but most of the infections occur in Russia, according to the company’s research, TASS reports.
The program is currently only collecting the necessary information, which may imply preparations for a campaign to steal funds, according to Kaspersky Lab experts.
The main difference between the new Trojan and others is its simplified algorithm for searching and checking files of interest. In addition, experts suggest that the Trojan can spread beyond accounting systems.
The Trojan is distributed using third-party downloader programs. Once on the device, Mezzo creates a unique identification code for the infected computer, after which a folder is created on the attackers’ server to store all files found on the victim.
Mezzo is believed to be using accounting software text files that were created less than two minutes ago. Having detected such documents, the Trojan waits for a dialog box to open for the exchange of information between 1C and the bank, after which the malware can steal funds by substituting details, experts believe.
"VFM.RU" provides a comment from an expert in the field of information security Maxima Umm: "These types of Trojans, which are directly involved in transferring funds using details other than those intended by the system owner, are the most dangerous, especially those that attack corporate systems. It is obvious that there is orders of magnitude more money in the company’s accounts than in the accounts of individuals. For individuals, such viruses, Trojans, have been known for quite some time. For corporate use they are much less common. This is a serious threat, because we have 1C: Accounting installed in a very large number of organizations, and there are no mechanisms within 1C to protect against this kind of Trojans and such behavior. Therefore, the company may experience very large losses if this Trojan is not detected in a timely manner: the money will physically go to other accounts, after which it will need to be retrieved very quickly. This is also, in principle, possible, that is, the fact that money is transferred from one bank to another does not mean at all that it will be impossible to return it if you react very quickly. But most people don't do this, so I would rate the threat level as quite high compared to other Trojans that do not directly result in the movement of funds by infecting a computer."
Kaspersky Lab suggests that Mezzo may be closely related to the CryptoShuffler Trojan, which steals cryptocurrency. According to the study, the code of the Trojan and the program that downloads CryptoShuffler is almost identical.
Experts believe that the same virus writers are behind both malware, which means their interest may also affect users’ crypto wallets.
Background
Information technology crimes include unauthorized access to information and bank accounts, the distribution of malicious viruses, spam and illegal information, and network interference with computer-controlled systems.
With the spread of information technology and the increase in the number of processes controlled by computers connected to networks, the scale and danger of cybercrime is increasing throughout the world. In 2010, the UN General Assembly named cybercrime as one of its main problems.
Cybersecurity refers to technical, organizational and legal measures to combat cybercrime. Software tools are being developed to combat cybercrime; large companies have cybersecurity divisions in their structure.
The legislation of many countries, including the Russian Federation, establishes both administrative and criminal liability for offenses in the field of information technology. In some cases, cybercrimes may fall under the category of crimes against public safety and public order, and in some cases they are punishable by special rules of law.
Cybercrime is characterized by a situation where the offender and the victim of the crime are located in different countries, which makes international coordination in the fight against crimes of this kind necessary. In particular, on November 23, 2001, the Council of Europe Convention ETS No. 185 on computer crime was adopted in Budapest. Due to disagreement with the provision on cross-border access to computer systems, Russia's signature to the Convention has now been revoked.
When a computer is infected, the virus assigns it a unique number, which is used to name a folder on the hackers' server. This folder will store files from the victim's computer. Mezzo's main goal is to detect and steal documents from accounting programs.
He's waiting
The virus can also replace details in the accounts of an accounting program. To do this, he constantly waits for the user to open a dialog box with the program and the banking system, and changes the contents of the fields with details. If the user does not open this window, the Trojan can replace the entire report file with a fake one. But so far the Trojan does not do this, but only collects information and transmits it to the server. Experts believe that attackers may be preparing for a massive attack.
So far, the number of infected computers is only a few, but most of them are located in Russia. But even infecting a computer in one large company can cause large losses.
This is not the first time we have encountered malware attacking accounting software. Thus, with the help of a similar TwoBee Trojan that we discovered about a year ago, attackers managed to steal more than 200 million rubles from Russian organizations
Sergey Yunakovsky
Kaspersky Lab expert
Cryptocurrency theft
In the code of the Mezzo virus, a direct connection was found with the AlinaBot program, which hackers previously used to steal cryptocurrencies. She replaced the user's wallet address in the clipboard with the address of the creators of the virus, and it was difficult to notice the substitution because the address consists of a jumbled set of numbers and letters.
