[Warning] Found malicious file aiming at Korean online banking user.

1. Introduction

Together with sprawling “Zeus” source code aimed at overseas internet banking web site, fortifying financial service on internet seems to be widely accepted in public.
Since, both to reduce and possibilities being leaked financial information and to avoid these emerging various threats on using financial internet service, we need more attention against those critical threats.

Especially, found malicious file lately is the first official case being made for aiming at Korean online banking user, with the reason of set default language as Korean, including 27 domestic internet banking site are being regarded as a shocking accident.

We, mainly servicing security components in financial area, are monitoring the first influx date of malicious file and getting various variants samples.
Furthermore, based on our own “Malicious file integrated management automation system”, various variants had been being spread; some of those were already infected on September, 2010. And we are inspecting those samples.

* Anti-virus for Trojan-Spy/W32.KRBanker (For Korean Financial Supervisory Service)


* Related code in malicious file about online banking

* Trojan-Spy/W32.KRBanker malicious file’s target list

01. Kookmin Bank (bank.kbstar.com)
02. Woori Bank (http://www.wooribank.com/)
03. Korea Exchange Bank (http://www.keb.co.kr/)
04. Korea Industrial Bank (http://www.ibk.co.kr/)
05. Hana Bank (http://www.hanabank.com/)
06. Shinhan Bank (http://www.shinhan.com/)
07. Citibank (http://www.citibank.co.kr/)
08. Standard charted (http://www.scfirstbank.com/)
09. Daegu Bank (http://www.dgb.co.kr/)
10. Kyungnam Bank (http://www.knbank.co.kr/)
11. Jeonbuk Bank (http://www.jbbank.co.kr/)
12. Kwangju Bank (http://www.kjbank.com/)
13. Busan Bank (http://www.busanbank.co.kr/)
14. Jeju Bank (banking.e-jejubank.com)
15. HK Saving Bank (http://www.hksb.co.kr/)
16. Nonghyup (banking.nonghyup.com)
17. Suhyup (http://www.suhyup-bank.com/)
18. Hyundai Swiss Saving Bank (http://www.hsb.co.kr/)
19. Jeil Saving Bank (http://www.jeilbank.co.kr/)
20. Community Credit (http://www.kfcc.co.kr/)
21. Credit Union (http://www.cu.co.kr/)
22. Korea Industry Bank (http://www.kdb.co.kr/)
23. Post Office Bank (http://www.epostbank.go.kr/)
24. Solomon Saving Bank (http://www.solomonbank.com/)
25. Seoul Saving Bank (http://www.seoulbanking.co.kr/)
26. Tomato Saving Bank (http://www.tomatobank.co.kr/)
27. Pureun Bank (http://www.pureunbank.co.kr/)

We found that this malicious file tries to steal or tamper user’s certificates, password, account password, security card number, OTP(one time password.
Collected information may be used to malicious behaviors, such as withdrawing balance without noticing real owner.

In addition, it contains certain functions to kill some of famous Korean anti-virus SWs and looks like well customized in Korean environment.

2. Malicious code activating scenario

INCA Internet security response team tested whole information leakage process as a real environment.

* Active process of this malicious file

If this malicious file activated, it senses activating Internet Explorer window concerning Korean online banking sites after certain conditions.
Besides it was also designed to perform malicious behaviors per each bank, which means that malicious developer coded as many type as the number of each banking systems.

%ProgramFiles%\Common Files\CommonDirs\runmode.dll
%ProgramFiles%\Common Files\CommonDirs\winnet.exe

If this malicious file performs, this will create folder on sub path of Windows system folder as a hidden preference. And it monitors usage history.


Folder name "np" seems to be abridged form of NPKI(National Public Key Infrastructure), it creates another folder and tries to steal certificates located in local disk or removable disk.

.NLS file is captured screen on user by time to time. It sometimes can be saved as .DAT file.
This malicious file seems to perform another additional malicious behavior with those captured files.
This following figure is one of .NLS files containing screen and mouse position.

<User can choose certificates and must insert password to be proven himself at Kookmin Bank>

<At KEB bank>

.XCD file is a type of TXT file and which contains the name of drives information in local PC. It can help to copy NPKI saved folder.

NPKI file was copied and saved in f2nk14677.1171875 folder.
Sometimes it created various name depending on user environment.

Infected user’s certificates will be captured and moved at C:\Windows\Help\iishelp\common\ dllimage.bmp on signing in online banking service.

Saved dllImage.bmp will be used as a background image on signing in with certificates.

At the next time, it will activate Script page or fake error, and try to deceive user by re-inputting certificates and password.

Following image is as same as Shinhan Bank’s error page.

You can find artificial blue box to snatch password in at the input form.

<Additional form is overwrited in current form>

And it also shows a form to get password, OTP, and security card number in a certain case.

Inputted information is saved C:\Windows\inf\d3dx9_94_x.inf with the time and date.

This malicious file also has other functions such as sending e-mail, using FTP, checking IP, collecting system information, p2p, setting windows firewall, hiding browser, masquerading as a nProtect security module, and interrupting anti-virus.

Since we identified our nProtect Netizen has been blocked, we updated its variant on May 25, 2011.
This following image describes the test result of nProtect Netizen against that malicious file.
Our Netizen can scan and treat malicious file flawlessly.

3. How to prevent

Those financial security threats must be prohibited. One of our recommend methods is to change signing in form regularly.
To use online banking safely from security threats of these malicious behaviors, we recommend following tips "Online banking security management tips" for general users.

※ Online banking security management tips

1. Maintain the latest security update on OS and applications
2. Use security components on using online banking (about keyboard, anti-virus, and so on).
3. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
4. Be careful on clicking shorten URL
5. Save NPKI to removable disk.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.