Tuesday, April 2, 2013

Brazilian banking Trojan tricks

So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)

Part 1 - spam mail:

Fiscal note

Mail from: mail.unimedsc.com.br - - IPvoid Result

The mail reads:
Emissão de Nota Fiscal
Prezado cliente,
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Notas Fiscais
Nota    Codigo de Verificacao    Visualizar
11932075    DTU8DBSW    NF-eletronica-8457348947..Docx
Equipe de Cobrança:

Roughly translated:

Issue of Invoice
Dear customer,
Below is a (s) link (s) to access electronic invoices.
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Team Collection:

Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.

Part 2 - executing the file:

The victim needs to unzip the file and run the malware:

So-called .docx with a mismatching icon

Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.

Some details about the file:
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7
Detections: 4/46 
VirusTotal Result
Anubis Result
ThreatExpert Result

The file connects to the following IPs: - IPvoid Result - IPvoid Result - IPvoid Result

This is where it gets a bit more interesting: the file downloads from a .hlp file called:
updados.hlp - VirusTotal Result

Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:

The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
C:\Program Files\2x8H8g

Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:

Autorun entries with fancy icons

Part 3 - the consequenses:

  • Your (financial) data will be stolen
  • You might get a pop-up next time you log in to your bank asking for credentials
  • You might be diverted to a fake login page
  • You might finance the malware author's next vacation by unwillingly transferring X amount of money
  • Other malware might be downloaded 

Part 4 - gathered files:

Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)

Contact me for a copy.

Gathered files

  • Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Have you indeed ordered something? Check the status of it directly on the supplier's website.
  • Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running.