The Danish Patcher case

CSIS Security Group has been investigating a very large targeted attack against Danish end users, resulting in a massive compromise of multiple eBanking solutions in Denmark. This is the largest targeted attack against Denmark ever seen, with more than 10,000 infected PC's registered during a period of 6 months. The attack was performed in two separate waves spanning over a year. This presentation will focus on the malware family known as
BankPatch/Multibanker/Patcher/NadeBanker. We will show how this banker circumvents eBanking solutions using a combination of MiTB (Man in The Browser) tricks and manipulating certain JAVA applets. Also, we will show how operations are controlled through a front C&C server and a backend SQL database. The Patcher gang buys "pay per installs" from people related to the Mebroot/Torpig gang. During the past 3 years, they have been performing attacks against Holland, Denmark and Greece. The Botnet consists of approximately 15,000 infected PC's, primarily located in Denmark, Greece and Ireland. This presentation will be divided into the following topics: Patcher malware in detail / How does this group operate / Profiling the group / Anti-virus detection statistics / How we mitigated this attack working with ISP's and Law Enforcment.