So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)
Part 1 - spam mail:
Fiscal note |
Mail from: mail.unimedsc.com.br - 187.115.59.244 - IPvoid Result
The mail reads:
Emissão de Nota Fiscal
Prezado cliente,
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Notas Fiscais
Nota Codigo de Verificacao Visualizar
11932075 DTU8DBSW NF-eletronica-8457348947..Docx
Atenciosamente,
Equipe de Cobrança:
Roughly translated:
Issue of Invoice
Dear customer,
Below is a (s) link (s) to access electronic invoices.
invoices
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Sincerely,
Team Collection:
Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.
Part 2 - executing the file:
The victim needs to unzip the file and run the malware:
So-called .docx with a mismatching icon |
Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.
Some details about the file:
NF-eletronica-987812165162.Docx.exe
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7
Detections: 4/46
VirusTotal Result
Anubis Result
ThreatExpert Result
The file connects to the following IPs:
54.244.228.88 - IPvoid Result
91.136.8.9 - IPvoid Result
187.45.193.134 - IPvoid Result
This is where it gets a bit more interesting: the file downloads from 54.244.228.88 a .hlp file called:
updados.hlp - VirusTotal Result
Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:
help01.hlp
help02.hlp
help03.hlp
The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
C:\Program Files\2x8H8g
Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:
Autorun entries with fancy icons |
Part 3 - the consequenses:
- Your (financial) data will be stolen
- You might get a pop-up next time you log in to your bank asking for credentials
- You might be diverted to a fake login page
- You might finance the malware author's next vacation by unwillingly transferring X amount of money
- Other malware might be downloaded
Part 4 - gathered files:
Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)
Contact me for a copy.
Gathered files |
Conclusion
- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Have you indeed ordered something? Check the status of it directly on the supplier's website.
- Don't be fooled by the fancy icons, they are actually EXE
files. You can enable an option in Windows so you're always sure of the
filetype being used:
Enable Viewing of Filename Extensions for Known File Types - Install an antivirus and antimalware product and keep it up-to-date & running.
Good thread. And ofcourse this stuff doesnt only count for brazilian banking. It can happen for everybody at one point or another.
ReplyDeletenice research man, keep it up!
ReplyDeleteNice thread!
ReplyDeletethanks
ReplyDeleteI got exactly this email, too! The only difference:
ReplyDeleteSender address: eduardo.se@ampersystems.com.br
Receiver address: tatiane@alcamp.com.br (not my address)
Thanks for the advice!
Thanks all for your comments!
ReplyDelete