BBVA Group phishing spam – New Banker Trojan (Nov 13, 2009)

SonicWALL UTM Research team observed a new Banker Trojan targeting BBVA Group customers being spammed in the wild via phishing e-mails pretending to arrive from BBVA Group. BBVA Group is considered to be second largest bank in Spain and has large customer base.

The e-mail message looks like below:

English translation for the message body:

BBVA Group always tries to find your highest expectations.
So we use the latest technology in security for our customers.
Therefore, our fraud department has developed a new security system that eliminates any possibility of third party access to their data, accounts or funds.
It is mandatory for all customers of BBVA in line to use this security system.
Our advice to you is to enter your access data to pass the system check. If the record is not made within 48 hours your account will be suspended temporarily until their registration is completed.
This will cost only a few minutes of your time and will have a much more stable security.

To begin registration please click here:

As seen in the e-mail above, it asks the customer to click on the Accept button and begin the registration for a new security system. If the user clicks on the button, it prompts the user to run or download an executable file “seguridad.exe” as seen below:

The executable file is the new Banker Trojan and it looks like below:

If user runs the executable file, it will open up following graphical user interface asking for user’s account number and key:

The malware has knowledge of valid user account number format that it uses to check for valid user account number string and 4 digit key code. It will not proceed further until a valid account number string format is recognized (regardless of whether it is fake or real).

It then asks the user to enter content of their Code card and again validates the format:

The Trojan logs and steals all the Banking information entered above by the user and relays it back to the author.

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.APJJ (Trojan) signature.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.