{
	"id": "2e8566ce-bd1e-4b5c-b0e3-c25777712122",
	"created_at": "2026-04-06T00:19:35.637715Z",
	"updated_at": "2026-04-10T13:13:04.937859Z",
	"deleted_at": null,
	"sha1_hash": "fcaba02955bf1a00d68ac121e898da5e441cc616",
	"title": "A New Wave Of WIN32/CAPHAW Attacks | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 516759,
	"plain_text": "A New Wave Of WIN32/CAPHAW Attacks | Zscaler Blog\r\nBy Chris Mannon\r\nPublished: 2013-09-18 · Archived: 2026-04-05 17:04:43 UTC\r\nIntroduction and setting the context\r\nOver the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of\r\nWin32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users' bank\r\naccounts since 2011.  You may recognize this threat from research done by WeLiveSecurity earlier this year in\r\nregards to this threat targeting EU Banking sites.  This time would appear to be no different.  So far, we have tied\r\nthis threat to monitoring it's victims for login credentials to 24 financial institutions.\r\nAbout Win32/Caphaw \r\nThe Caphaw trojan is a financial malware attack that functions similarly to the Carberp, Ranbyus, and Tinba\r\nthreats according to analysis done by WeLiveSecurity Researcher, Alekandr Matrosov. These attacks are carried\r\nout utilizing stealth tactics both on and off the wire.  Caphaw avoids local detection by injecting itself into\r\nlegitimate processes such as explorer.exe or iexplore.exe, while simultaneously obfuscating its phone home traffic\r\nthrough the use of Domain Generated Algorithm created addresses using Self Signed SSL certificates.  This limits\r\nthe ability of traditional network monitoring solution to dissect the packets on the wire for any malicious\r\ntransactions.  Caphaw attacks major European banks and previous analysis has shown that the malware is most\r\nactive in the UK, Italy, Denmark and Turkey. This is especially prevalent considering the mapped known infected\r\nnodes seen here. \r\nThe geoip (location) information derived from the infected host is of special significance to this malware. The\r\nmalware leverages the following legitimate URL: hxxp://j.maxmind.com/app/geoip.js to discover geoip\r\ninformation about its freshly infected victim.  Administrators should view this transaction as a starting point for\r\ntheir investigation into any suspicious activity. It is not a malicious service, but illustrates how malware writers\r\ncan leverage even legitimate services. The infection uses the output of this script to extract location information\r\nabout the infected host/victim.\r\nAt the time of research, we were unable to identify the initial infection vector.  We can tell that it is more than\r\nlikely arriving as part of an Exploit Kit honing in on vulnerable versions of Java.  The reason we suspect this is\r\nthat the User-Agent for every single transaction that has come through our Behavioral Analysis (BA) solution has\r\nbeen: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07.\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 1 of 8\n\nThe UserAgent for known drop locations of this are manipulating users with Java version 1.6.07\r\nThe variation in the dropped executable is different across every instance, so its no wonder standard AV is having\r\na problem keeping up (1/46 at time of research). This AV performance also indicates that the likelihood of\r\nsomeone proactively catching this infection inside their network is fairly low at the time of this writing.\r\nUse of DGA \r\nA domain generation algorithm (or DGA) represents an algorithm seen in various families of malware to generate\r\na large number of quasi-random domain names.  These can be used to identify the malware's command and\r\ncontrol (CnC) servers so that the infected hosts can \"dial home\" and receive/send commands/data. The large\r\nnumber of potential rendezvous points with randomized names makes it extremely difficult for investigators and\r\nlaw enforcement agencies to identify and \"take down\" the CnC infrastructure. Furthermore, by using encryption, it\r\nadds another layer of difficulty to the process of identifying and targeting the command and control assets. \r\nWhat initially drew us to this threat was the use of DGA following the execution of the dropped malicious\r\npackage. We ran three test instances of the attack sequence in our Behavior Analysis (BA) lab to illustrate the use\r\nof DGA in the malware's attack sequence:\r\nInstance 1\r\ncso0vm2q6g86owao.thepohzi.su\r\n5qloxxe.tohk5ja.cc\r\nk2s0euuz.oogagh.su\r\nInstance 2\r\nv8ylm8e.thepohzi.su\r\n2g24ar4vu8ay6.tohk5ja.cc\r\nd6vh5x1cic1yyz1i.oogagh.su\r\nInstance 3\r\nt2250p29079m6oq8.thepohzi.su\r\n ngb0ef99.tohk5ja.cc\r\nnxdhetohak91794.oogagh.su\r\nThe pattern (\"ping.html?r=\") is commonly known to be used by past versions of Caphaw.  Don't panic straight\r\naway if you see this string in your user logs however as it is also commonplace among sites that use\r\n\"outbrain.com\" services.  You'll want to look for any URI path that uses /ping.html?r= that does not contain\r\n\"/utils/\".  Hopefully that helps narrow the search to see if you've encountered transactions similar to the following\r\nscreenshot.\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 2 of 8\n\nDGA is used to hide the phone home activity of the initial detection\r\nAcross all 64 distinct samples we've collected of this threat thus far, there have been 469 distinct IPs where there\r\nhas been a call to a DGA location.  A small sample of those illustrate the connection between the phone home data\r\ncollected via network logs and the BA of the Caphaw samples.\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 3 of 8\n\nThe DGA used here shows a connection between Caphaw phone home activity and Sandboxed samples of the\r\nthreat in question\r\nUse of SSL encrypted communications\r\nThe initial indicators were in the form of mysterious self-signed SSL traffic between end user hosts and various\r\npoints of presence on the Internet, potentially components of the malware’s CnC infrastructure.  See the\r\nscreenshot below showing the self signed SSL cert. used in the malware communication:\r\nOther screenshots below show the SSL handshake between the infected hosts and the remote CnC servers:\r\n \r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 4 of 8\n\nSSL communication between infected host(s) and the remote CnC servers\r\nA binary executable (.exe) file is created in the attack sequence and masquerades as a .php file. This executable is\r\ncreated using Microsoft Visual C++ and the creator has not removed the debugging information from the final\r\nexecutable.\r\nBoth the location of where this file is dropped and the name of the file itself is selected quasi-randomly. For\r\nexample, in one of the test instances we found this to be: \r\nC: Documents and Settings\\user\\ApplicationData\\Sun\\Java\\Deployment\\SystemCache\\6.0\\9\\typeperf.exe\r\nDuring the three instances of malware execution we ran in our BA lab, we observed the following executables and\r\ntheir drop locations:\r\n \r\n\\Documents  and  Settings\\%USER%\\ApplicationData\\Sun\\Java\\utilman.exe\r\n\\Documents  and  Settings\\%USER%\\ApplicationData\\Microsoft\\Proof\\eventtriggers.exe\r\n\\Documents  and  Settings\\%USER%\\ApplicationData\\Microsoft\\Office\\cliconfg.exe\r\nThe malware makes the following significant API calls: \r\nLoadLibrary\r\nGetProcAddress\r\nVirtualalloc\r\nThe  malware executable checks to see if it is running in a VM environment and also ensures that the host on\r\nwhich it is installed is connected to the Internet (failing which it will not run).\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 5 of 8\n\nThe malware also exhibits persistence by creating the following autorun entry in the registry:\r\nHKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run    dfrgntfs.exe      Unicode    \r\nC:\\Documents and Settings\\user\\Application Data\\Sun\\Java\\Deployment\\SystemCache\\6.0\\9\\typeperf.exe* \r\nsuccess or wait   1     B8EF5F      RegSetValueExA\r\nFurther, the executable when run, modifies the explorer.exe process to ensure that it's self-signed certificates are\r\nnot cached and it also hides inside the explorer.exe process to ensure that the protection banner is hidden for a\r\nstealthier execution: \r\nHKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3      2500  dword\r\n3     success or wait   1      DAEF5F      RegSetValueExA\r\nHKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings \r\nDisableCachingOfSSLPages      dword 1     success or wait  1     DAEF5F      RegSetValueExA\r\nHKEY_USERS\\Software\\Microsoft\\Internet Explorer\\Main  NoProtectedModeBanner   dword 1     success\r\nor wait   1     DAEF5F      RegSetValueExA\r\nThe malware then augments system processes to hinder its removal, once again for persistence: \r\n328   C:\\WINDOWS\\system32\\wscntfy.exe     B30000      344064      D4 1E 5E EA 74 1E 9F 25 F9 CC 18 A3\r\n28 FD 93 C3 1E 78 1D 8C AC 81 22 5F D3 DF AB 7E 34 3E 49 B5 D4 7A 45 F5 5D 15 72 6E 0F 93 F6 4C 2F\r\nE6 6D 31 16 6C E1 DD BB 23 F7 71 6D 06 A7 40 D7 A7 EB FE 12 70 30 28 92 BD 7F 1D 41 BE 44 5F 38 97\r\nF5 27 E9 14 29 96 D1 28 05 C5 E5 D4 C8 72 94 D8 6A 11 EF 63 1D B4 89 A5 B8 FE 23 F2 1E C0 71 0E 18\r\n7D 5B 74 B7 20 A1 5A 5F CE 27 FC 53 7E E7 D7 55 72 31 BA 28 54 33 25 22 88 A2 15 45 59 CE A5 CF 64 23\r\nA7 AB E3 A4 4C C4 08 79 FC 5C BE 9C D1 FE 87 58 22 A4 B5 7D 64 29 E4 30 EC 87 D3 5D 1F F5 2B 4F\r\nA9 56 42 B9 6C B2 77 BD 90 C5 42 39 03 9E FD 93 E1 91 42 AF F8 1B 69 FD 2A 5E 5B 02 0A B4 6D FE FE\r\n73 0C AE 6C AD D6 36 C3 6D EA 48 B5 85 58 E3 94 81 07 09 18 66 9F 63 79 8F C4 3D B1 CB D3 72 6C 45\r\n4B 9B A3 3C 44 0B 61 57 98 7D 98 83    success or wait   1      DA8FB2      WriteProcessMemory\r\n   1612     164   7C8106E9    DC5A7B      C:\\WINDOWS\\explorer.exe success or wait   1     CC004D     \r\nCreateThread\r\nScope of the threat and impact\r\nFurther evidence of this being Caphaw exists in the banking information that it is listening for once it is injected\r\ninto key Windows Processes.  Amongst all samples analyzed, we found the following 24 major banks' sites were\r\nactively being monitored by the infection primarily to seek out the victim's online banking credentials. This is\r\nbased on data pulled from an added thread to explorer.exe process.\r\nBank of Scotland\r\nBarclays Bank\r\nFirst Direct\r\nSantander Direkt Bank AG\r\nFirst Citizens Bank\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 6 of 8\n\nBank of America\r\nBank of the West\r\nSovereign Bank\r\nCo-operative Bank\r\nCapital One Financial Corporation\r\nChase Manhattan Corporation\r\nCiti Private Bank\r\nComerica Bank\r\nE*Trade Financial\r\nHarris Bank\r\nIntesa Sanpaolo\r\nRegions Bank\r\nSunTrust\r\nBank of Ireland Group Treasury\r\nU.S. Bancorp\r\nBanco Mercantil, S.A.\r\nVarazdinska Banka\r\nWintrust Financial Corporation\r\nWells Fargo Bank\r\nStrings found in explorer thread added by Capchaw\r\nThreatLabZ continues to monitor the Internet for this threat and it's propagation. The lab is also engaged currently\r\nin dissecting this threat further in order to obtain more information about its attack methodology, scope and\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 7 of 8\n\nimpact. \r\nWritten by Sachin Deodhar \u0026 Chris Mannon (ThreatLabZ)\r\n           \r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nhttps://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis"
	],
	"report_names": [
		"new-wave-win32caphaw-attacks-threatlabz-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434775,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fcaba02955bf1a00d68ac121e898da5e441cc616.pdf",
		"text": "https://archive.orkl.eu/fcaba02955bf1a00d68ac121e898da5e441cc616.txt",
		"img": "https://archive.orkl.eu/fcaba02955bf1a00d68ac121e898da5e441cc616.jpg"
	}
}