{
	"id": "f05869ac-37f2-4ebc-a804-eb55ee738f80",
	"created_at": "2026-04-06T00:19:03.841992Z",
	"updated_at": "2026-04-10T03:21:02.477034Z",
	"deleted_at": null,
	"sha1_hash": "90ecff9887189c53bc3ec0eb97e8a086f92a5adb",
	"title": "Virus Bulletin :: Sinowal banking trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3537259,
	"plain_text": "Virus Bulletin :: Sinowal banking trojan\r\nBy Chao ChenFortinet, ChinaEditor: Martijn Grooten\r\nArchived: 2026-04-05 14:46:45 UTC\r\n2014-06-02\r\nAbstract\r\nWith a modular architecture and sophisticated functionality, Sinowal is a multi-component banking trojan targeted\r\nat various web browsers which threatens users of online banking systems around the globe. Chao Chen delves into\r\nthe inner workings of each of the components of this powerful malware.\r\nCopyright © 2014 Virus Bulletin\r\nOnce considered to be one of the most malicious and advanced pieces of malware, Sinowal (a.k.a. Mebroot [1] or\r\nTheola [2]) has drawn the attention of both security researchers and members of the public alike since 2006. With\r\na modular architecture and sophisticated functionality, Sinowal is a multi-component banking trojan targeted at\r\nvarious web browsers which threatens users of online banking systems around the globe. In this article, we will\r\ndelve into the inner workings of each of the components of this powerful malware.\r\nInstallation\r\nThe Sinowal installer (MD5: 7efc5e7452d98843b9ae4a2678d057ea) may arrive on a victim’s computer via any of\r\na number of different means, including drive-by download, spam attachment and file-sharing networks. The\r\ninfamous Blackhole [3] exploit kit also served as a major vector of infection until last autumn (since when\r\nBlackhole has been inactive).\r\nThe installer drops a dynamic-link library (DLL) onto the local hard disk. The DLL acts as a loader module and\r\nwill load other components, if any exist, and download a manager module which plays a central role in conducting\r\nbanking fraud. The manager module downloads several plug-in modules from the C\u0026C server, aimed at different\r\ntarget applications. These modules are used to steal sensitive information including bank account details, email\r\naddresses and FTP accounts. All plug-in modules contact the manager module through a named pipe, while the\r\nmanager module communicates directly with the C\u0026C server, uploading stolen information, reporting the local\r\nstatus of the trojan and downloading configuration and plug-in modules, as well as script commands for the plug-in modules to run.\r\nLoader module\r\nThe loader module is named ‘mini’ on 32-bit systems and ‘mi64’ on 64-bit systems. Each of Sinowal’s modules\r\nhas a different 32-bit and 64-bit version. In this article, we will focus on the versions for the 32-bit platform.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 1 of 24\n\nBack-up loader on disk\r\nAfter being dropped and decoded by the installer, the loader module is loaded with the fdwReason parameter of\r\nthe EntryPoint function set to 0xFEFEFEEE, indicating that this is the first time it has run. The DllRegisterServer\r\nfunction will be called later to perform the following tasks:\r\n1. Write the image of the loader module to the file ‘%SystemDrive%\\Documents and Settings\\All\r\nUsers\\Application Data\\{Random Number}\\{Filename}.dll’ on the hard disk. Here, {Random Number} is\r\ndetermined by calling the GetTickCount API, and {Filename} is chosen from a given group on the basis of\r\nthe creation time of SystemRoot, as shown in Figure 1.\r\nFigure 1. Choosing a random filename.\r\n2. Keep uploading local information to the C\u0026C server. The URL of the C\u0026C server is hard-coded in the\r\nloader module’s binary. The information uploaded is an encrypted list of numbers, each one representing a\r\nspecial event that has taken place on the compromised machine, as shown in Figure 2.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 2 of 24\n\nFigure 2. Upload events information.\r\nThe encryption routine performs a simple XOR operation on each double-word. The initial value of the\r\ncrypt key is generated on the basis of the CPU time stamp counter. The size of data is extended to a\r\nmultiple of four. In the encrypted data, the first double-word is the crypt key, the second is the encoded\r\nvalue of the original data size, and the rest is encoded data.\r\nFigure 3. Encryption routine with XOR.\r\n3. Execute the command ‘regsvr32.exe /s {Path of Loader Module}’, which will cause the loader module to\r\nrun in the regsvr32.exe process.\r\nDownload manager module\r\nRunning in the regsvr32.exe process, the loader module will check the fdwReason parameter of the EntryPoint\r\nfunction. This time, the value of fdwReason is DLL_PROCESS_ATTACH. In this case, the hash of the name of\r\nthe current process will be calculated and compared against a set of hashes that represent some particular\r\nprocesses. The result of the comparison will determine what happens in the next step.\r\nA Python version of the hash generation algorithm is shown in Figure 4.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 3 of 24\n\nFigure 4. Hash generation algorithm.\r\nSome useful hash values and their corresponding filenames are listed below:\r\n0x56C00521 ‘explorer.exe’\r\n0x58AF052E ‘regsvr32.exe’\r\n0xAAFF04C6 ‘sysprep.exe’\r\n0x54E50518 ‘iexplore.exe’\r\n0xAC0104A3 ‘firefox.exe’\r\n0xD4C0042E 'chrome.exe'\r\nThe main work in the regsvr32.exe process can be divided into three parts:\r\n1. Download the manager module via the routine used for uploading the event list. The HTTP session for\r\ndownloading is shown in Figure 5.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 4 of 24\n\nFigure 5. Download the manager module.\r\nAn encrypted list of running processes and installed software is sent to the C\u0026C server, which will reply\r\nwith the XTEA-encrypted manager module. The downloaded manager module will be decrypted with the\r\nkey ‘HONNJCUPKFVBBYCC’. After being verified as a PE file, the manager module (which is also a\r\nDLL) will be XTEA-encrypted locally and stored in the folder that contains the loader module. This time,\r\nthe crypt key (128 bits) consists of two parts: the first 32 bits are generated on the basis of the SystemRoot\r\ncreation time, and the other 96 bits are hard-coded in the binary. The name of the encrypted manager\r\nmodule is chosen from another group of given names and uses ‘.dat’ as its extended filename.\r\n2. Make the registry value\r\n‘HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad’ point to the path\r\nof the loader module and add the path of the loader module to the registry value\r\n‘HKLM\\SOFTWARE\\Microsoft\\Windows NT\\ CurrentVersion\\Windows\\LoadAppInit_DLLs’. The first\r\nregistry value will enable the loader module to be loaded when Explorer starts up, and the second will\r\nenable it to be loaded into all user-mode processes in the system.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 5 of 24\n\n3. Inject a piece of code into the explorer.exe process to load the loader module.\r\nStart manager module\r\nOnce the loader module is loaded in the explorer.exe process, it will realise that Explorer has become its host\r\nprocess by using the hash comparison described earlier. Then it will retrieve the encrypted manager module from\r\nthe hard disk and decrypt it with a key generated on the basis of the SystemRoot creation time. Next, the\r\nEntryPoint and Initialize functions of the manager module will be invoked in sequence so that the manager\r\nmodule can work in the Explorer process. We will discuss the manager module in detail later.\r\nRecord browser information\r\nIf the loader module is loaded in a process of iexplore.exe, firefox.exe or chrome.exe, it will record some\r\ninformation in the registry key ‘HKCU\\Software\\Microsoft\\Notepad’ or, if that fails,\r\n‘HKCU\\Software\\AppDataLow’. The value ‘LastMsg’ is set to the number of browser processes that have been\r\ninjected by the loader module. The value ‘msg{Number}’ records the identity of the browser program being\r\ninjected. Some examples are as follows:\r\nValueName = ‘msg0’, data = ‘MD I’ for Internet Explorer\r\nValueName = ‘msg1’, data = ‘MD F’ for Mozilla Firefox\r\nValueName = ‘msg2’, data = ‘MD C’ for Google Chrome.\r\nBeef file\r\nIf the loader module is loaded in the Explorer process or any other user-mode process, such as a web browser\r\nprocess, it will search for a special file from the folder containing the loader module. The file in question is\r\nXTEA-encrypted and its first double-word after decryption should be 0xBEEFBEEF. We call it the ‘beef file’. The\r\ndouble-word 0xBEEFBEEF is written into the beef file by the loader module. Other data in the beef file will be\r\nwritten by the manager module, which will be discussed later. The structure of the beef file is as follows:\r\nBeef File:\r\n+0 0xBEEFBEEF\r\n+4 NumOfEntries (should \u003c= 0x20)\r\n+8 BeefEntry[NumOfEntries]\r\nStruct BeefEntry:\r\n+0 EntryName\r\n+14h SizeHashes\r\n+18h SizeModule\r\n+1Ch Hashes[SizeHashes]\r\n+1Ch+ SizeHashes Module[SizeModule]\r\nEntryName: entry name consisting of four characters, including ‘mini’, ‘mi64’, ‘gbcl’, ‘gc64’, ‘iecl’, ‘ffcl’, ‘crcl’\r\nand ‘snif’.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 6 of 24\n\nHashes: an array of hashes. The loader module will compare the hash of the name of its host process with each\r\nhash in this array. If a match is found, the corresponding module stored in this BeefEntry will be loaded into the\r\nhost process. Module: a module exporting two functions – Initialize and Deinitialize.\r\nModule life cycle\r\nWhen the manager module or a plug-in module from the beef file is loaded into a process by a copy of the loader\r\nmodule injected into the same process (the manager module will only be loaded in the Explorer process), the\r\nEntryPoint function and its initialization will be invoked by the loader module (see Figure 6).\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 7 of 24\n\nFigure 6. Invoke Initialize function.\r\nWhen the manager module or plug-in module finishes its work, its Deinitialize function will be invoked by the\r\nloader module. After that, the loader module will unload itself by calling the FreeLibrary API and then reload\r\nitself by calling the LoadLibraryA API with the path of the loader binary on disk as the parameter. Using this\r\nmethod, the loader module, manager module and plug-in modules are periodically reloaded into a host process,\r\nwhich ensures that any newly downloaded or updated modules will be given a chance to run.\r\nAnti-Trusteer Rapport\r\nAs an advanced banking trojan, Sinowal is equipped with a weapon to defeat Trusteer Rapport [4], a security tool\r\nused to prevent phishing and man-in-the-browser attacks. Trusteer Rapport runs in all browser processes,\r\nmonitoring suspicious activities by hooking Windows APIs.\r\nIf Trusteer Rapport is found to be installed on the compromised machine, the following actions will be taken by\r\nthe loader module running in a browser process:\r\n1. Suspend all threads belonging to the Trusteer Rapport module in the browser process.\r\n2. Recover APIs in the following DLLs from binary files on disk:\r\nntdll.dll\r\nkernel32.dll\r\nuser32.dll\r\ngdi32.dll\r\nwininet.dll\r\nws2_32.dll\r\nole32.dll\r\nurlmon.dll\r\noleaut32.dll\r\ncomctl32.dll\r\ncomdlg32.dll\r\nwintrust.dll\r\n3. Hook the NtCreateThread and NtCreateThreadEx APIs to abort threads created by Trusteer Rapport.\r\n4. If the top-level exception filter is in the Trusteer Rapport module, replace it with\r\nUnhandledExceptionFilter.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 8 of 24\n\nManager module\r\nThe manager module downloaded by the loader module plays a central role in the malware’s activity. It will\r\ndownload plug-in modules and configuration data from the C\u0026C server for stealing information such as bank\r\naccounts. Downloaded plug-in modules will be stored in the beef file, while the configuration data is written into a\r\nlocal encrypted file. The manager module communicates with the plug-in modules through a named pipe. This\r\nmodule is dubbed ‘gbcl’ (32-bit version) or ‘gc64’ (64-bit version).\r\nTime-based DGA for C\u0026C server\r\nUnlike the hard-coded C\u0026C server URL used for downloading the manager module, the C\u0026C server domains for\r\ndownloading configuration data and plug-in modules are obtained through a DGA (Domain Generation\r\nAlgorithm) which is based on the current date and time taken from Google. Some generated domains are shown in\r\nFigure 7.\r\nFigure 7. C\u0026C server domains.\r\nRegister bot with C\u0026C server\r\nTo register the compromised machine with the C\u0026C server, encrypted local information, including the IP address\r\ntable, is uploaded. A custom encryption algorithm is employed in the communication between the manager\r\nmodule and the C\u0026C server. The first double-word of the transferred data is the crypt key, and a signature double-word ,‘BIP’ 0x02, is at offset 0x10 to the beginning of the decrypted data, as shown in Figure 8.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 9 of 24\n\nFigure 8. Crypt key and signature double-word.\r\nDownload plug-in modules and configuration\r\nPlug-in modules and configuration data are downloaded using the same encryption scheme as described above.\r\nThe configuration contains thousands of URLs belonging to online banks and e-commerce services around the\r\nworld. A small piece of decrypted configuration is shown in Figure 9.\r\nFigure 9. URLs in configuration.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 10 of 24\n\nThe URLs in the configuration data reveal that the financial institutions targeted by Sinowal are distributed in the\r\nfollowing countries:\r\nEurope\r\nAndorra, Austria, Belgium, Bulgaria, Switzerland, Cyprus, Czech Republic, Germany, Denmark, Spain,\r\nFinland, France, Guernsey, Greece, Hungary, Ireland, Isle of Man, Iceland, Italy, Jersey, Cayman Islands,\r\nLiechtenstein, Luxembourg, Latvia, Malta, New Caledonia, Netherlands, Norway, Poland, Portugal,\r\nRomania, Russian Federation, Sweden, Slovenia, Slovak Republic, Turkey, United Kingdom.\r\nAsia\r\nUnited Arab Emirates, China, Israel, India, Japan, Nepal, Qatar, Singapore.\r\nAfrica\r\nKenya, Uganda, South Africa.\r\nNorth America\r\nCanada, United States.\r\nLatin America\r\nArgentina, Brazil, Belize, Mexico.\r\nOceania\r\nAustralia, New Zealand, Samoa.\r\nThe plug-in modules are downloaded and stored in the beef file.\r\nPipe communication\r\nThe manager module creates a named pipe through which it exchanges data and scripts with the plug-in modules.\r\nThe pipe’s name is generated by the routine shown in Figure 10.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 11 of 24\n\nFigure 10. Generation of pipe name.\r\nBanking fraud for Internet Explorer\r\nA plug-in module named ‘Iecl.dll’ (Figure 11) is injected into the iexplore.exe process to perform banking fraud.\r\nThe main functionality of this module is to steal sensitive information such as the login and password details of\r\ncompromised users for online banks and e-commerce sites, and to run customized scripts from the C\u0026C server at\r\nspecific times.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 12 of 24\n\nFigure 11. Iecl module information.\r\nPreparation\r\nBecause Sinowal targets victims who speak various different languages around the world, it is important to ensure\r\nthat mlang.dll, which provides multi-language support, exists on the victim’s computer. If mlang.dll does not exist\r\non the machine, the Iecl module will not work.\r\nTo enable browser active scripting, which is required by the Iecl module, the registry value\r\n‘HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400’ is set to zero. This means\r\nthat Internet Explorer will no longer prompt the user before running dynamic scripts.\r\nHijack Internet Explorer\r\nFigure 12 shows an overview of the complete procedure of stealing bank accounts and running the malicious\r\nscript. In the following sections, we will discuss how it works, step by step.\r\nFigure 12. Procedure of hijacking IE.\r\nMonitor and respond to web browser events\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 13 of 24\n\nThe Iecl module will enumerate all running instances of Internet Explorer (IE). For each IE browser object, a\r\nproperty named ‘__BRCL__’ is created and set as a string generated as a result of calling the GetTickCount API.\r\nThis property is used to identify a specific IE browser object.\r\nFor each IE object, an IDispatch interface object is constructed and connected to the IConnectionPoint interface of\r\na connection point for the DIID_DWebBrowserEvents2 of the browser object. In this way, the IDispatch object\r\ncan respond to browser events using the Invoke method.\r\nIf the dispIdMember parameter of the Invoke method is DISPID_BEFORENAVIGATE2 or\r\nDISPID_NEWWINDOW3, the Iecl module will check the URL the browser is going to. If the URL is on a\r\nblacklist maintained by Sinowal, the visit to this URL will be cancelled by setting DISPPARAMS.Cancel to\r\nVARIANT_TRUE.\r\nIf the dispIdMember parameter is DISPID_NAVIGATECOMPLETE2, the Iecl module will check the URL the\r\nbrowser has arrived at. If the URL is blacklisted, navigation will be stopped by calling IWebBrowser2::Stop.\r\nIf the dispIdMember parameter is DISPID_DOWNLOADBEGIN, the host name of the current URL will be\r\nobtained and saved in the IDispatch object constructed for this browser object.\r\nIf the dispIdMember parameter is DISPID_BEFORENAVIGATE2, DISPID_DOWNLOADBEGIN,\r\nDISPID_NAVIGATECOMPLETE2 or DISPID_DOWNLOADCOMPLETE, the IHTMLDocument2 interfaces of\r\nall the frames opened in the browser will be obtained. An IDispatch interface object will be created for each\r\nframe. This IDispatch object will be connected to the IConnectionPoint interface for the\r\nDIID_HTMLDocumentEvents2 of the frame. If the value of the ‘tagName’ property of this frame is ‘BODY’, the\r\nIDispatch object will also be connected to the IConnectionPoint interface for the\r\nDIID_HTMLTextContainerEvents2 of the frame. The job of this IDispatch object is to monitor forms on web\r\npages and to execute a given script at specific points in time, which will be discussed later.\r\nIf the dispIdMember parameter is DISPID_ONQUIT, the IDispatch object for DIID_DWebBrowserEvents2 will\r\nbe disconnected from the connection point. If no other IE browser instance is running in the system, a WM_QUIT\r\nmessage will be sent to the Iecl module, which will then cease to work.\r\nStealing sensitive form information\r\nThe Invoke method of the IDispatch object for DIID_HTMLDocumentEvents2 and\r\nDIID_HTMLTextContainerEvents2 will find all form elements on a web page and monitor the content and\r\nsubmission of each form.\r\nIf the dispIdMember parameter of the Invoke method refers to keyboard and mouse events, such as\r\nDISPID_HTMLDOCUMENTEVENTS2_ONCLICK or\r\nDISPID_HTMLDOCUMENTEVENTS2_ONKEYPRESS, the Invoke method will do nothing.\r\nIf the dispIdMember parameter is DISPID_HTMLDOCUMENTEVENTS2_ONREADYSTATECHANGE or\r\nDISPID_HTMLDOCUMENTEVENTS2_ONPROPERTYCHANGE, and the readyState of the HTML document\r\nis ‘complete’, the following actions will be taken on each form in the HTML document:\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 14 of 24\n\nFirst, an attribute named ‘cnct’ will be created for the form. This attribute is used as a flag telling the Iecl module\r\nthat the form is already under control.\r\nSecondly, a newly created IDispatch object will be connected to the connection point for the\r\nDIID_HTMLInputTextElementEvents of each input text element of the form if the type of the element is\r\n‘password’ and the method of the form is ‘post’. In the Invoke method of the IDispatch object, an attribute named\r\n‘pwd’ is created for the password input text element, and the value of this attribute is set to the content of the\r\nelement – which is very likely the password entered by the compromised user. The ‘pwd’ attribute is used to\r\nhighlight the password when the form content is grabbed and sent to the C\u0026C server.\r\nNext, two IDispatch objects are created. One is attached to the onsubmit event of the form by calling\r\nIHTMLElement2::attachEvent; the other is assigned to the member ‘submit’ by calling IDispatchEx::InvokeEx\r\nwith the parameter wFlags set to DISPATCH_PROPERTYPUT. These two IDispatch objects are used to collect\r\nthe following sensitive information:\r\nThe current URL representing the web page containing the form\r\nThe value of the property ‘action’ of the form, which is the destination URL to which the form content\r\nshould be sent by an HTTP post command\r\nThe name, type and value of each item in the form.\r\nFinally, the grabbed form data will be sent through a pipe to the manager module, which in turn will send the\r\ninformation to the C\u0026C server.\r\nCustom script engine\r\nWhen the state of an HTML document changes to ‘rendering’, ‘download_complete’ or ‘submit’, the Iecl module\r\nreports the current URL and HTML document state to the C\u0026C server and receives a custom script to execute.\r\nThe manager module acts as a middle-man in this procedure.\r\nIn order to run the custom script provided by the C\u0026C server, the Iecl module creates a member of\r\nIHTMLDocument::Script and names the member with a randomly generated string. Then an IDispatch interface\r\nobject is created and wrapped in a VARIANTARG with type VT_DISPATCH. This VARIANTARG will be\r\nassigned to the randomly named member of IHTMLDocument::Script so that this member will act as a script\r\ninterpreter, recognizing and executing the custom script provided by the C\u0026C server.\r\nThe IDispatch object for the randomly named member contains names of a set of commands used in the custom\r\nscript, each command having a number as its ID, which will be retrieved by the GetIDsOfNames and GetDispID\r\nmethods.\r\nIn the Invoke method of this IDispatch object, commands of the custom script will be parsed and executed. The\r\ncommands and their descriptions are as follows:\r\njsre (dispId 0x01): JavaScript regular expression parser.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 15 of 24\n\nopen (dispId 0x02): open given URL with given referrer. The parameter is in the format {Host}/{Path}?rhcpre=\r\n{Base64 Encoded Referrer}\u0026{Parameter List}. The URL to be opened is {Host}/{Path}?{Parameter List}, and\r\nthe referrer set in the HTTP header is {Base64 Decoded Refererr}. This command gives the Iecl module the\r\nability to pop up a phishing page at the appropriate time without raising suspicion.\r\nclose (dispId 0x03): close a specific Internet Explorer browser object.\r\neval (dispId 0x04): run the custom script given as the first parameter. The second parameter is the value of the\r\n‘__BRCL__’ property identifying the browser object.\r\nscreen (dispId 0x05): take a screenshot in JPEG format and send it to the C\u0026C server.\r\nencrypt (dispId 0x06): custom encryption routine using XOR.\r\nimage (dispId 0x07): get and base64-encode the stored data of a given URL in the cache entry file.\r\nrequest (dispId 0x08): download a string from the C\u0026C server using the IStream interface.\r\nvideo (dispId 0x09): record an MPEG video of the user screen by using an open-source x264 library embedded in\r\nthe Iecl module, and send the video to the C\u0026C server.\r\nupdate (dispId 0x0A): update the time property of the current host.\r\nfreeze (dispId 0x0B): lock the in-place activation window in the browser.\r\nunfreeze (dispId 0x0C): unlock the in-place activation window in the browser.\r\ncookie (dispID 0x0D): search cookies for the current URL.\r\nreport (dispId 0x0E): report local information to the C\u0026C server.\r\nBanking fraud for Google Chrome\r\nFor the Google Chrome browser, a plug-in module named ‘CrclReg.dll’ is downloaded and injected into all\r\nrunning chrome.exe processes (see Figure 13).\r\nFigure 13. CrclReg module information.\r\nInstall Chrome extension\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 16 of 24\n\nThe main job of the CrclReg module is to install a Chrome extension which will conduct banking fraud. The files\r\nfor the Chrome extension, including a DLL, are embedded in the binary of the CrclReg module, as shown in\r\nFigure 14.\r\nFigure 14. Files for Chrome extension.\r\nIn fact, the original name of the DLL for the extension is ‘Crcl.dll’, as shown in Figure 15.\r\nFigure 15. Crcl.dll for Chrome extension.\r\nThese files are dropped into a randomly named folder in the C:\\WINDOWS\\TEMP directory.\r\nTo install the extension, the following shell command is executed by calling the ShellExecuteA API with the\r\nparameter operation set to ‘open’:\r\n{Path of chrome.exe} --pack-extension=’{Path of Randomly named Folder}’ --no-message-box\r\nA .crx file is generated as a result of the command.\r\nThe ScriptItemize, ShowWindow and DrawTextW APIs are hooked to make the installation process silent and\r\ninvisible. In addition, the extension is enabled in incognito mode. We can see the installed extension named\r\n‘Default Plug-in’ in Chrome’s extension panel, as shown in Figure 16.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 17 of 24\n\nFigure 16. Malicious Chrome extension.\r\nMonitoring web activities\r\nIn the exported NP_GetEntryPoints function of Crcl.dll, a set of NPAPI functions are provided for the browser to\r\ninvoke at the appropriate time. The most important NPAPI functions are NPP_New and NPP_GetValue.\r\nNPP_New is called by the browser to create a new instance of the extension. In this function, several listeners are\r\nset up to monitor web activities. The script setting the listeners is hard-coded in Crcl.dll, as shown in Figure 17.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 18 of 24\n\nFigure 17. Script for monitoring web activities.\r\nThe script equips the extension with the capacity to redirect network traffic, forge the HTTP referrer, intercept\r\nsession cookies, and monitor browser navigation.\r\nGrab form content\r\nThe NPP_GetValue function creates a ScriptableNPObject to receive and execute the script from the browser. The\r\ncontent.js file packed in the .crx file of the extension contains a script for stealing form content. The de-obfuscated\r\nversion of content.js is shown in Figure 18.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 19 of 24\n\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 20 of 24\n\nFigure 18. De-obfuscated content.js.\r\nThe submitEvent function defined in the script will grab the form content when a form is submitted. The collected\r\ninformation will be given as a parameter to a method also named ‘submitEvent’ of the ScriptableNPObject\r\nrepresenting the extension. This submitEvent method implemented in Crcl.dll will transfer stolen form data\r\nthrough a pipe to the manager module, which then communicates directly with the C\u0026C server.\r\nScript command list of extensions\r\nFrom inside the Invoke method of ScriptableNPObject for the extension, we can see a list of script commands and\r\nthe routines for executing them.\r\nFigure 19. The Invoke method of ScriptableNPObject.\r\nThe commands are as follows:\r\nbeforeNavigate: monitor the URL the browser is going to\r\nexecuteScript: get script from the C\u0026C server to run when the state of the HTML document changes to\r\n‘rendering’, ‘download_complete’ or ‘submit’\r\nbeforeRequest: redirect traffic for certain URLs\r\nbeforeSendHeaders: forge referrer in the HTTP request header\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 21 of 24\n\nsendHeaders: intercept information in the HTTP request header, including request method, destination URL,\r\nreferrer URL and HTTP session cookie\r\nsubmitEvent: send stolen form data to the manager module through a pipe\r\njsre, screen, video, encrypt, request, open, close, eval, image, update, cookie, report: implement the same\r\nfunctionalities as discussed in the section on Internet Explorer banking fraud.\r\nBanking fraud for Mozilla Firefox\r\nThe module for conducting banking fraud in Firefox, named ‘Ffcl.dll’, is similar to Iecl.dll in its code architecture.\r\nFigure 20. Ffcl module information.\r\nThe script embedded in the binary file for stealing form data is shown in Figure 21.\r\nFigure 21. Script in Ffcl.dll.\r\nFfcl.dll also has the same script command list as Iecl.dll.\r\nSniffer module\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 22 of 24\n\nA module named ‘gbsniffer.dll’ is employed to sniff network data and to harvest email addresses from\r\nPOP3/SMTP traffic and the usernames/passwords of FTP client applications installed on the compromised\r\nmachine (see Figure 22).\r\nFigure 22. Sniffer module information.\r\nHook APIs\r\nTo monitor data transferred on the network and intercept the original data of hash operations, the sniffer module\r\nhooks a number of APIs, listed as follows:\r\nWs2_32.dll: closesocket, WSASend, WSARecv, send, recv\r\nWininet.dll: InternetConnectA, HttpOpenRequestA, HttpSendRequestA HttpSendRequestW, InternetReadFile,\r\nInternetCloseHandle\r\nAdvapi32.dll: CryptHashData\r\nBcrypt.dll: BCryptHashData\r\nnspr4.dll: PR_Read, PR_Write, PR_Close\r\nOle32.dll: CoGetClassObject\r\nHarvest email addresses and FTP accounts\r\nThe sniffer module will collect sensitive information from POP3, SMTP and FTP sessions. The following\r\ninformation extracted from a monitored session will be sent through a pipe to the manager module:\r\nName of client application for POP3, SMTP or FTP\r\nURL and port of POP3, SMTP or FTP server\r\nEmail addresses from POP3/SMTP or user account of FTP.\r\nThe code for harvesting email addresses is shown in Figure 23.\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 23 of 24\n\nFigure 23. Harvesting email addresses.\r\nConclusion\r\nSinowal has become a persistent trojan by continuously upgrading its weapons, including use of multi-stage\r\ninjection, time-based DGA, a complex encryption scheme and plug-in modules aimed at different kinds of\r\nbrowsers. Enormous economic losses affecting both individuals and institutions have been seen during the long\r\nevolution of this malware family. It is now time for the security community to launch a campaign which will put\r\nan end to the Sinowal story.\r\nBibliography\r\nSource: https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan\r\nPage 24 of 24\n\nLoader The loader module module is named ‘mini’ on 32-bit systems and ‘mi64’ on 64-bit systems. Each of Sinowal’s modules\nhas a different 32-bit and 64-bit version. In this article, we will focus on the versions for the 32-bit platform.\n   Page 1 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan"
	],
	"report_names": [
		"sinowal-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434743,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90ecff9887189c53bc3ec0eb97e8a086f92a5adb.pdf",
		"text": "https://archive.orkl.eu/90ecff9887189c53bc3ec0eb97e8a086f92a5adb.txt",
		"img": "https://archive.orkl.eu/90ecff9887189c53bc3ec0eb97e8a086f92a5adb.jpg"
	}
}