Rivalry heats up as VXers bake Fobber crypto clobber

Hop, skip, and headache.


A malware development squad is so determined to thwart meddling white hat researchers that it has produced a trojan riddled with obfuscation techniques and neurotic encryption.

The Fobber banking trojan is based off Tinba version two, regularly hops between programs, and is distributed through the elusive and dangerous HanJuan exploit kit.

Malwarebytes researcher Jerome Segura says the authors have encrypted command and control communications, and each separate small code function, making reverse engineering a formidable task.

"The samples we have observed always attempt to open random registry keys and then the malware performs a long sequence of jumps in an effort to create something like a rabbit hole for analysts to follow, slowing down analysis," Segura says .

"The dropped binary, which we nicknamed Fobber, has the ability to steal valuable user credentials and is also fairly resistant to removal by receiving updates to both itself and command servers.

"Unlike a normal Windows program, Fobber makes it a habit to “hop” between different programs."

Segura says the authors are "testing the waters" with the malware before distributing it more widely. The white hat's analysis would doubtless infuriate the cautious criminal coders.

Fobber hopping flow.

Fobber hopping flow.

He says the malware is flogged through a noisy malvertising campaign which is out-of-place for the handiwork of the stealthy HanJuan exploit kit, unknown prior to late last year and normally restricted to high-value and zero-day attacks.

Equally anomalous is the use of a genuine hacked Joomla! site for hosting HanJuan, a fact that Segura has exploited by requesting the hosting provider for further forensic analysis.

"Every encounter with HanJuan is interesting because it happens so rarely. As always the exploit kit only targets the pieces of software that have the highest return on investment: Internet Explorer and [Adobe] Flash Player," he says.

Fobber throws a further fork in the analysis wheels by eschewing traditional methods of process watching.

Instead it creates a kind of checksum value derived from process names of Windows processes including Chrome, Internet Explorer and Firefox, which is then matched against hard-coded process checksums. ®

Similar topics


Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021