By Manoj Venugopalan, Malware Analyst, Symantec Hosted Services
Brazil is the biggest country in Latin America with a population of over 198.7m people, 34% of whom are connected to the internet. It is also a country with a low GDP per capita ratio and higher rates of criminality, especially relating to cyber crime. With tens of millions of users already using online banking services in Brazil, cyber criminals find Internet banking an attractive target, particularly in the application of banking Trojans used to bypass two-factor authentication systems and other security countermeasures.
MessageLabs Intelligence has seen many Banker Trojan attacks in the past, however, more recently, I came across two different banks that were being targeted by one single attacker: Bradesco and Sicredi. MessageLabs Intelligence had been blocking the Bradesco banking attack some days ago, but then I noticed the Sicredi Bank attack on Saturday 20 February. It was early in the morning and none of the well-known anti-virus companies were detecting this malware, except for Symantec. See the full Virus Total report here:
[Virus Total Report]
The malware had been zipped and attached in emails sent to a number of Symantec Hosted Services clients. Both forms of the attack used attached different files and had different subjects and sender information, in each case using spoofed email sender addresses that pretended to be official bank contacts, as can be seen in one of the examples following:
[Banking Trojan attached to email – first sample]
Compare this with the following example, of an attack against the other Brazilian bank, and it can be seen that the same body text was used in both cases, substituting the name of the bank where appropriate:
[Banking Trojan attached to email – second sample]
The attached executable samples were compiled using Visual Basic and the Inno Setup installer, and if opened, the installation procedure displayed the appropriate banking logos and branding, as can be seen in the examples below, intended to deceive the recipient into installing this application:
[Banking Trojan Installation – first sample - part one]
[Banking Trojan attached to email – first sample - part two]
Once complete, the installation process creates entries in the All Programs folder and creates a desktop icon. The icon also resembles the actual Bradesco or Sicredi Bank logo.
[Banking Trojan link added in All Programs]
Once the user click on the application, it opens a window, which appears exactly as expected, using the same design as online banking interface website; however, behind the scenes, the banking Trojan is covertly collecting the users login credentials and passing them back to the cyber criminals, as seen in the network traces below:
[logging of application network traffic – first example]
[logging of application network traffic – second example]
During the course of my investigations, I entered some false information to see how the Trojan would respond, and as I expected, the process simply continued to the next step, and asked for the user’s login security keys:
[Banking Trojan requesting user’s security credentials]
The Trojan also asked to verify that the correct keys had been entered before handing over the account information to the criminals’ servers.
At the time of writing, MessageLabs Intelligence has identified more than 300 different instances of these attacks, which were being sent to a variety of financial and non-financial organizations, and Symantec Hosted Services continues to protect its clients against these attacks.