Tuesday, April 2, 2013

Brazilian banking Trojan tricks


So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)


Part 1 - spam mail:


Fiscal note

















Mail from: mail.unimedsc.com.br - 187.115.59.244 - IPvoid Result

The mail reads:
Emissão de Nota Fiscal
Prezado cliente,
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Notas Fiscais
Nota    Codigo de Verificacao    Visualizar
11932075    DTU8DBSW    NF-eletronica-8457348947..Docx
Atenciosamente,
Equipe de Cobrança:

Roughly translated:

Issue of Invoice
Dear customer,
Below is a (s) link (s) to access electronic invoices.
invoices
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Sincerely,
Team Collection:

Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.



Part 2 - executing the file:

The victim needs to unzip the file and run the malware:

So-called .docx with a mismatching icon





Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.


Some details about the file:
NF-eletronica-987812165162.Docx.exe
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7
Detections: 4/46 
VirusTotal Result
Anubis Result
ThreatExpert Result

The file connects to the following IPs:
54.244.228.88 - IPvoid Result
91.136.8.9 - IPvoid Result
187.45.193.134 - IPvoid Result

This is where it gets a bit more interesting: the file downloads from 54.244.228.88 a .hlp file called:
updados.hlp - VirusTotal Result

Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:
help01.hlp
help02.hlp
help03.hlp

The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
C:\Program Files\2x8H8g

Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:

Autorun entries with fancy icons








Part 3 - the consequenses:

  • Your (financial) data will be stolen
  • You might get a pop-up next time you log in to your bank asking for credentials
  • You might be diverted to a fake login page
  • You might finance the malware author's next vacation by unwillingly transferring X amount of money
  • Other malware might be downloaded 


Part 4 - gathered files:

Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)

Contact me for a copy.

Gathered files

























Conclusion
  • Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Have you indeed ordered something? Check the status of it directly on the supplier's website.
  • Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running.

6 comments:

  1. Good thread. And ofcourse this stuff doesnt only count for brazilian banking. It can happen for everybody at one point or another.

    ReplyDelete
  2. nice research man, keep it up!

    ReplyDelete
  3. I got exactly this email, too! The only difference:
    Sender address: eduardo.se@ampersystems.com.br
    Receiver address: tatiane@alcamp.com.br (not my address)
    Thanks for the advice!

    ReplyDelete