So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)
Part 1 - spam mail:
Mail from: mail.unimedsc.com.br - 220.127.116.11 - IPvoid Result
The mail reads:
Emissão de Nota Fiscal
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Nota Codigo de Verificacao Visualizar
11932075 DTU8DBSW NF-eletronica-8457348947..Docx
Equipe de Cobrança:
Issue of Invoice
Below is a (s) link (s) to access electronic invoices.
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.
Part 2 - executing the file:
The victim needs to unzip the file and run the malware:
|So-called .docx with a mismatching icon|
Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.
Some details about the file:
The file connects to the following IPs:
18.104.22.168 - IPvoid Result
22.214.171.124 - IPvoid Result
126.96.36.199 - IPvoid Result
This is where it gets a bit more interesting: the file downloads from 188.8.131.52 a .hlp file called:
updados.hlp - VirusTotal Result
Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:
The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:
|Autorun entries with fancy icons|
Part 3 - the consequenses:
- Your (financial) data will be stolen
- You might get a pop-up next time you log in to your bank asking for credentials
- You might be diverted to a fake login page
- You might finance the malware author's next vacation by unwillingly transferring X amount of money
- Other malware might be downloaded
Part 4 - gathered files:
Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)
Contact me for a copy.
- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Have you indeed ordered something? Check the status of it directly on the supplier's website.
- Don't be fooled by the fancy icons, they are actually EXE
files. You can enable an option in Windows so you're always sure of the
filetype being used:
Enable Viewing of Filename Extensions for Known File Types
- Install an antivirus and antimalware product and keep it up-to-date & running.