So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)
Part 1 - spam mail:
 |
| Fiscal note |
Mail from: mail.unimedsc.com.br - 187.115.59.244 - IPvoid Result
The mail reads:
Emissão de Nota Fiscal
Prezado cliente,
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Notas Fiscais
Nota Codigo de Verificacao Visualizar
11932075 DTU8DBSW NF-eletronica-8457348947..Docx
Atenciosamente,
Equipe de Cobrança:
Roughly translated:
Issue of Invoice
Dear customer,
Below is a (s) link (s) to access electronic invoices.
invoices
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Sincerely,
Team Collection:
Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.
Part 2 - executing the file:
The victim needs to unzip the file and run the malware:
 |
| So-called .docx with a mismatching icon |
Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.
Some details about the file:
NF-eletronica-987812165162.Docx.exe
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7
Detections: 4/46
VirusTotal Result
Anubis Result
ThreatExpert Result
The file connects to the following IPs:
54.244.228.88 - IPvoid Result
91.136.8.9 - IPvoid Result
187.45.193.134 - IPvoid Result
This is where it gets a bit more interesting: the file downloads from 54.244.228.88 a .hlp file called:
updados.hlp - VirusTotal Result
Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:
help01.hlp
help02.hlp
help03.hlp
The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
C:\Program Files\2x8H8g
Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:
 |
| Autorun entries with fancy icons |
Part 3 - the consequenses:
- Your (financial) data will be stolen
- You might get a pop-up next time you log in to your bank asking for credentials
- You might be diverted to a fake login page
- You might finance the malware author's next vacation by unwillingly transferring X amount of money
- Other malware might be downloaded
Part 4 - gathered files:
Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)
Contact me for a copy.
 | ||||||||
| Gathered files |
Conclusion
- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Have you indeed ordered something? Check the status of it directly on the supplier's website.
- Don't be fooled by the fancy icons, they are actually EXE
files. You can enable an option in Windows so you're always sure of the
filetype being used:
Enable Viewing of Filename Extensions for Known File Types - Install an antivirus and antimalware product and keep it up-to-date & running.
