OddJob

OddJob
(Type: Banking trojan, Backdoor, Info stealer, Credential stealer)

(IBM) OddJob’s most obvious characteristic is that it is designed to intercept user communications through the browser to steal or inject information and terminate user sessions inside Internet Explorer and Firefox. We have extracted OddJob’s configuration data and concluded that it is capable of performing different actions on targeted websites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages. All logged requests and grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks — also in real time but hidden from the legitimate user of the online bank account. By tapping the session ID token, which banks use to identify a user’s online banking session, the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year


Trend Per Month



[News Analysis] News Mention Another Threat Name:



[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

Basic Information (Credit @etda.or.th)

Tool: OddJob

Names: OddJob

Description: (IBM) OddJob’s most obvious characteristic is that it is designed to intercept user communications through the browser to steal or inject information and terminate user sessions inside Internet Explorer and Firefox. We have extracted OddJob’s configuration data and concluded that it is capable of performing different actions on targeted websites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages. All logged requests and grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks — also in real time but hidden from the legitimate user of the online bank account. By tapping the session ID token, which banks use to identify a user’s online banking session, the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.

Category: Malware

Type: Banking trojan, Backdoor, Info stealer, Credential stealer

Information: https://securityintelligence.com/oddjob-new-financial-trojan-keeps-online-banking-sessions-open-after-users-logout/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob

Last-card-change: 2020-05-24

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact