Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.









  




! 
(U)!Previously,!the!Sinowal!Banking!Trojan!was!of!interest!due!to!it’s!Web!Form!Scraping!
technique!in!which!sensitive!elements!of!a!webpage!could!be!intercepted!without!the!user’s!
knowledge.!At!that!time,!the!COM!APIs!that!were!used!had!been!superseded!circa!2005!and!we!
believed!that!no!technique!could!be!applied!to!PostNXP!operating!systems.!
(U)!Recent!research!into!the!COM!API!revealed!a!number!of!newer!APIs!that!appear!to!be!
functionally!similar!to!the!Sinowal!Web!Form!Scraping!technique.!
(U)!Due!to!the complex!/!confusing!nature!of!the!COM!API!names,!specific!excerpts!of!the!
original!Sinowal!article!from!Virus!Bulletin (June!2014)!are!referenced!throughout!the!analysis.!
(U)!Ultimately,!we!were!not!able!to!implement!the!entire!functionality!of!the!Web!Form!
Scraping!technique!while!strictly!adhering!to!the!description!found!in!the!Virus!Bulletin!report.!
We!believe!the!technique!may!still!be!possible!while!adhering!to!the!steps!laid!out!in!the!
report.!We!are!able!to!progress!further!into!the!general!technique!if!we!deviate!from!the!steps!
in!the!report,!but!we!are!unable!to!determine!whether!or!not!the!end!result!will!be!the!same.!
! 
(U)!All!Web!Form!Scraping!functionality!that!we!discuss!in!the!subsections!below!is!contained!
within!the!Iecl!module!of!the!Sinowal!malware.!
! 
(U)!The!Virus!Bulletin!report!did!not!specify!the!exact!technique!used!to!enumerate!running!
instances!of!Explorer!/!IExplorer.!The!IDispatch!interface!that!is!used!extensively!later!in!the!
method!for!each!window!that!is!enumerated!may!only!be!obtained!through!methods!within the!
IShellWindows!interface.!
! 
(U)!After!enumerating!each!window,!most!of!the!critical!functionality!is!implemented!using!a!
Source!/!Sink!approach!that!is!connected!using!an!IConnectionPoint!interface.!The!source!can!
be!anything!that!user!may!interact!with!(e.g.,!Window,!HTML!Element).!!
(U)!The!Sink!is!our!own!implementation!of!an!interface!that!handles!events!(e.g.!
DWebBrowserEvents2).!A!new!Sink!class!must!be!created!for!each!type!of!event!interface!we!
are!handling!(i.e.!DWebBrowserEvents2!vs.!HTMLDocumentEvents2).!
(U)!Each!IDispatch!object!has!a!variety!of!connections!to!other!various!interface.!After!
instantiating!our!Sink,!we!get!a!pointer!to!its!IUnknown!interface.!Using!this!pointer,!we!can!
then!call!Advise()!to!link!the!Source!and!Sink!together.!
(U)!When!any!event!occurs,!any!Sink!that!has!been!linked!(using!Advise())!to!receive!the!
category!of!events!is!signaled!using!the!Invoke()!method.!The!Invoke!method!contains!a!large!
number!of!arguments!as!seen!below!in!Figure'1.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh