This month we added Win32/Caphaw and Win32/Bepush to the Malicious Software Removal Tool (MSRT).

Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013.

Caphaw encounter graph 

Figure 1: Caphaw encounters

Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through infected removable drives and drive-by exploits.

Once installed it can use a plugin mechanism to download several other programs from its command and control server. Here are some of the plugins and routines that we have seen being downloaded:

  • Archiver — A command-line version of winrar.exe which is used to compress files before they are uploaded to remote servers.
  • Backsocks — Allows remote connection  to the infected machine with the ability to tunnel through private networks and firewalls.
  • VNC —  A backdoor that allows the attacker to run commands on an infected machine.
  • Diskspread — Helps the threat to spread by writing itself to removable drives.
  • Ftpgrabber — A password stealer.
  • VideoGrabber – Used for video recording and uploading video to a remote server.
  • MsgSpread — Helps Caphaw spread by posting Skype messages through the infected user’s account.
  • SpBot — A spamming routine.
  • Rootkit/Bootkit — A master boot record infection routine.
  • WebInject - Injects HTML codes to trick users and steal banking/financial related information.

We have seen this family targeting the customers of a range of popular banks and financial institutions. It injects into the user’s browser with data from the WebInject plugin as mentioned above. This mimics the requested bank’s website and login page. The user’s login data is then sent to servers controlled by Caphaw.    

Caphaw also has capabilities beyond just stealing banking information. It allows backdoor access even if the infected machine is behind firewalls or in a private network, which is commonly seen in commercial network setups. It can also steal other data, such as FTP passwords, and files from the user’s machine.

With it’s modular plugin architecture, the malware author can develop almost any payload, and utilize Caphaw to deliver it to the infected machine. 

There is more information about this family in the Win32/Caphaw description.   

The best protection from this and other threats is to run an up-to-date real-time security product such as Microsoft Security Essentials.

Edgardo Diaz and Jody Koo

MMPC