April 30, 2015
A new online banking malware with the same technique used in Operation Emmental has been hitting users in Japan. Detected as TROJ_WERDLOD, this new malware has been causing problems in the country since December 2014 with more than 400 confirmed victims.
This threat changes two settings that allows information theft at the network level (i.e., without using information-stealing malware). This has the advantage of not requiring a reboot or any memory-resident processes on the affected systems.
One of the two settings modified is the system’s proxy settings. This routes some of the user’s Internet traffic to a proxy controlled by the attacker. The second is the addition of a malicious root certificate to the system’s trusted root store. This allows malicious site certificates added in man-in-the-middle attacks (as done by the malicious proxy) to be used without triggering alerts or error messages.
This technique of a malicious proxy combined with an added root certificate was also used in Operation Emmental. This attack indicates that the technique has now reached Japan.