The Stack Archive

Son of Emmental: TROJ_WERDLOD banking Trojan wild in Japan

Fri 1 May 2015


A variant of the banking malware set-up used in Operation Emmental in December 2014 is reported to be making deeper inroads into the Japanese banking networks than its predecessor, with 400 known victims to date.

Named TROJ_WERDLOD by researchers at TrendMicro, the new strain has altered two of its core characteristics, which permit it to attempt network-level theft without resident malware operative in memory-resident threads, and, crucially, without the need for the target machine to reboot.

The Emmental modus operandi is high-effort compared to the average standard of Phishing attacks, but like them it still relies – even in the new variant – on the victim opening a rich-text format (RTF) file which launches the infection process, and on the 1990s-style way in which email systems display attachment names. Additionally the user needs to be credulous enough to double-click an icon in the opened RTF document, which is in reality the initial spur of the infection.


The emails sent in the Emmental scenario come from major suppliers which the victims are statistically likely to be doing business with.

After this point the running malware will alter the host PCs domain name server (DNS) settings via a proxy pac file, with optional JavaScript code to help select the best C&C malware server to orchestrate the attack process. In the case of TROJ_WERDLOD the domains were Japanese and included several online banking portals, characterising the campaign as aimed at Japan. The Google Chrome and Internet Explorer browsers refer to this amended setting, and the malware also changes the appropriate setting in Firefox, which does not.

Additional to the DNS hack, the initial malware run places a trusted root (SSL) certificate on the target system, and this will allow secure Phishing sites to run mixed content without a tell-tale warning popping up – a Man-in-the-Middle (MitM) attack vector. The malware silently and invisibly hits the ‘Accept’ button on the security warning which this bogus certificate installation prompts.

With DNS enabling the MitM incursion and the crucial root certificate allowing the victim to interact with the bank unhindered by any security warnings, the TROJ_WERDLOD actors are able to proceed to intercept details of online banking transactions and potentially gain access to a user’s account.

TROJ_WERDLOD does not use Emmental’s approach of SMS authentication via fake secure mobile apps, as this is not a common security scenario in Japanese online banking. TrendMicro advise the use of EV (Extended Validation) certificates over SSL as an added security measure for online banking. These are user-specific, and require registration, and – if necessary – the ability to contact the user directly.


Asia banks cybercrime hacking news security
Send us a correction about this article Send us a news tip