Sopelka VS Eurograbber: really 36 million EUR?

Almost one month ago I had the opportunity of giving a talk at Rooted CON for yet another year. Mikel Gastesi and me talked about Sopelka Botnet and the Eurograbber report published by Check Point and Versafe at the beginning of December 2012. You can take a look at the slides here.



After reading the Eurograbber report and taking into account that there were a lot of similarities with Sopelka Botnet, which I had analyzed some months before, I decided to write a blog post about it. At the same moment, the Rooted CON CFP was closing, so I submitted this subject and then I forced myself to research further to demonstrate that Eurograbber was just a hype. Thanks to the investigations by S21sec and Fox-IT there was more than enough information.

Uncovering the "new" Eurograbber: really 36 million EUR?

Eurograbber is in the news, beware. Some days ago Versafe and Check Point Software Technologies published a “new” threat report titled “A Case Study of Eurograbber: How 36 Million Euros was Stolen via Malware”. A bit sensationalist, yes. If it was well documented and there was real proof of that, I would have nothing to say, but it turns out that this threat is not so new and I wrote about it by the end of September, when I was working at S21sec. I called this Sopelka botnet.

Apart of being new or not (I think all of us thought that we were the first ones when really not), the report throws some data about affected banks/users and, the most important, the amounts stolen from each country by the fraudsters: more than 16 million EUR in Italy, almost 13 million EUR in Germany, almost 6 million EUR in Spain and more than 1 million EUR in Netherlands. In summary, more than 36 million EUR in Europe. Taking into account the sad times we are living in, crisis times, it's pretty noteworthy, isn't it?

This report and, above all, these stolen amounts have been quickly published everywhere and are quite widespread, faster than some of the most infamous Trojans. That's why I would like to say some words about the report and these astonishing amounts:


  • It's not a new Trojan, not a new customized ZeuS, it's just Citadel. Citadel, but also Tatanga and Feodo. In this botnet were used at least three different Trojans.

Sopelka Botnet: three banking trojans and one banking panel

Sopelka botnet started life in May this year and was taken down by end of September. It has been called Sopelka because of the path used in the distribution of binaries and configuration files, and was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel.

This botnet’s objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also Holland, Italy and Malta. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones. Symbian was the first operating system where this type of malicious component emerged two years ago.

During the botnet’s lifetime there were at least five campaigns and it’s likely that more were carried out. Of the five known campaigns, three of them installed variants of Citadel (versions and, another Feodo, and Tatanga was the chosen trojan in the other one. All the Citadel campaigns carried the name “sopelka” (a flute type in Russian) in their download paths for binaries and configuration files, but this was not the case with Tatanga and Feodo.

Source Seattle 2011

Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an event for the speakers and organizers to get to know each other and enjoy a beer with some tasty Asian cuisine. I was the representative of the S21sec e-crime team with a speech about banking Trojans.

The talks began on Wednesday the 15th and the agenda was divided into two tracks, one dedicated to technical themes and the other centred on the business world. The first day, the following themes (amongst others) were touched on: evaluation of necessary expenses in security, the application of the law in cybercrime matters, threat modelling, forensic memory analysis of Android’s Dalvik Virtual Machine and my speech about the evolution of fraud through banking Trojans.

Tatanga: a new banking trojan with MitB functions

Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users. Its detection rate is very low, and the few antivirus engines that can detect it yield a generic result.

The trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software. The modules are the following:

  • ModEmailGrabber: It gathers e-mail addresses.

  • Coredb: It manages the trojan's configuration. The corresponding file is encrypted with the algorithm 3DES.
  • Comm Support Library: This module implements the encryption of the communication between the trojan and the control panel.
  • File Patcher: The function of this module is not clear yet. It is suspected that it is in charge of the propagation across folders containing multimedia, zipped or executable files.
  • Syndicate content