{
	"id": "b72f6b0a-9cdb-4208-86b7-5592b0392c00",
	"created_at": "2026-04-06T00:08:09.365408Z",
	"updated_at": "2026-04-10T13:12:55.538317Z",
	"deleted_at": null,
	"sha1_hash": "ba65916e3a65fd22e6fe7c6412c0890d342f1a08",
	"title": "Smartcard vulnerabilities in modern banking malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 761185,
	"plain_text": "Smartcard vulnerabilities in modern banking malware\r\nBy Aleksandr Matrosov\r\nArchived: 2026-04-02 10:42:35 UTC\r\nAleksandr Matrosov and Eugene Rodionov presented their research into “Smartcard vulnerabilities in modern\r\nbanking malware” at PHDays'2012.\r\n05 Jun 2012  •  , 3 min. read\r\nLast week an epic security event took place in Russia – the PHDays’2012 conference. This event started last year\r\nas the first conference in Russia for security researchers focusing on deeply technical speakers – all the videos\r\ntranslated into English are already online here. This year, ESET Canada's Pierre-Marc Bureau presented a\r\nworkshop on “Win32/Georbot. Understanding a malware and automating its analysis”, about reverse engineering\r\nthe Georbot trojan. And I and my colleague Eugene Rodionov presented the results of our research into\r\n“Smartcard vulnerabilities in modern banking malware”.\r\nOur presentation starts with a consideration of the evolution of the Carberp family of banking malware (we\r\nalready discussed this in our CARO presentation in May).  \r\nOn the day before the conference I tracked blackhat SEO poisoning on the Russian Google search results page for\r\nrequests relating to Eurovision 2012 in the Russian language.\r\nThe first Google search item returned is a redirect to a malicious webpage passing itself off as a legitimate site\r\nabout Eurovision 2012. If a malicious JavaScript detected real user activity, the next step would be a redirection to\r\na Nuclear Pack exploitation service.\r\nhttps://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nPage 1 of 6\n\nNuclear Pack uses some interesting techniques for generating unique file names with exploitation vectors to\r\nbypass crawlers - if you can’t step all the way through the malicious redirection you can’t track all the logic that\r\ngoverns name generation). All java exploits here used layered obfuscation, and used applet parameters to\r\nimplement the deobfuscation flow. \r\nThe second part of our talk was about attack techniques against client-bank systems. The most interesting part of\r\npresentation was about vectors for attacks on smartcards. In 2010 we already published a blogpost – “Dr. Zeus:\r\nthe Bot in the Hat” – about the manipulation of APDU commands and hidden remote channels for controlling a\r\nsmartcard device. This bot is still in the wild and ESET detects this family as Win32/Spy.Ranbyus (MD5:\r\nF2744552D24F7EA31E64228EB3022830). We have found functionality for covert smartcard manipulation in the\r\ncode of the latest modifications too. The current C\u0026C (Command \u0026 Control) has changed domain, to \r\nwh1tesun.info (80.79.117.171).\r\nIf Win32/Spy.Ranbyus finds an active smartcard or smartcard reader device on the infected machine, the bot sends\r\nthis information to the C\u0026C with a description of the type of smartcard it finds. All malicious smartcard\r\nmanipulation works at the SmartCard API level.\r\nhttps://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nPage 2 of 6\n\nThe user authenticates to the smartcard device, and the bot sends a signal to the C\u0026C. After that, the smartcard\r\ncan be used remotely through the C\u0026C by means of APDU command manipulation, allowing all typical smartcard\r\nworkflow using the victim's credentials.\r\nThe next interesting case involving smartcards was detected at the beginning of this year. Hodprot, the latest\r\nCarberp cybercrime group, switched to using RDPdoor v4.2.x (MD5:\r\n0E9CCECABA272942F1A4297E42D3BA43). This modification collects information about an infected system\r\nand devices in use by means of SetupApi.\r\nhttps://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nPage 3 of 6\n\nIts activity is focused on smartcard devices used in Russian remote banking systems:\r\nhttps://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nPage 4 of 6\n\nIf a smartcard device is detected, the bot prepares a special description to send to the C\u0026C:\r\n[VendorId]:[ProductId]:[Revision]:[InfoRetrievedFromDevice]:[DeviceNameOrDescription]\r\nExamples of the filled-in structure look like this:\r\n0A89:0060:0102:06512119781D0E:Rutoken Magistra;\r\n096E:0005:0290:065C62807A1C0E:USB Token Device;\r\n0A89:0060:0102:06336059708D9E:Rutoken Magistra;\r\n0CA6:00A0:0010:06024350706F87:USB Smart Card reader;\r\n23A0:0002:0100:20BEA090712EC1:BIFIT ICCD Smart Card Reader;\r\n2022:0008:1001::USB Smart Card reader;\r\nA420:542A:0100::VPN Key;\r\nhttps://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nPage 5 of 6\n\n0A89:0020:0200::Rutoken S;\r\nRDPdoor collects a great deal of information about the infected system to facilitate the following analysis by the\r\nbotmaster. \r\nAfter analysis, the botmaster can send additional commands back to the bot for installing additional modules onto\r\nthe infected system. If a smartcard device is detected, RDPdoor can install FabulaTech USB for Remote Desktop\r\nto implement remote control of smartcards on the infected machine.\r\nThe use of smart cards reduces the security risks of online transactions, but we see here some attacks that bypass\r\nsmartcard security at the operating system API level in order to steal money.\r\nAleksandr Matrosov, Security Intelligence Team Lead\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nhttps://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/"
	],
	"report_names": [
		"smartcard-vulnerabilities-in-modern-banking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434089,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba65916e3a65fd22e6fe7c6412c0890d342f1a08.pdf",
		"text": "https://archive.orkl.eu/ba65916e3a65fd22e6fe7c6412c0890d342f1a08.txt",
		"img": "https://archive.orkl.eu/ba65916e3a65fd22e6fe7c6412c0890d342f1a08.jpg"
	}
}