Delf.EP Trojan steals online banking passwords (Mar 25, 2011).

The Sonicwall UTM research team received reports of a new online banking Trojan in the wild. The Trojan’s sole purpose is to steal security credentials used to manage various online banking accounts. The Trojan targets sites such as paypal, mastercard and citibank. The Trojan is targeted exclusively at brazilian users but can also affect users from other countries.

The Trojan’s activity once it has compromised a machine is quite simple. It makes only a single modification to the file system once it has run.

The Trojan makes the following POST and GET requests to a remote webserver:

The Trojan downloads a hosts.txt from the remote webserver and places it at:

• C:WINDOWSsystem32driversetchosts

The hosts file contains the following data:

69.162.122.215 www.bb.com.br
69.162.122.215 bb.com.br
69.162.122.215 www.bancobrasil.com.br
69.162.122.215 bancobrasil.com.br
69.162.122.215 www.bancodobrasil.com.br
69.162.122.215 bancodobrasil.com.br
69.162.122.215 americanexpress.com.br
69.162.122.215 www.americanexpress.com.br
69.162.122.215 bancoamazonia.com.br
69.162.122.215 www.bancoamazonia.com.br
69.162.122.215 bancodaamazonia.com.br
69.162.122.215 www.bancodaamazonia.com.br
69.162.122.215 citibank.com.br
69.162.122.215 www.citibank.com.br
69.162.122.215 credicard.com.br
69.162.122.215 www.credicard.com.br
69.162.122.215 hotmail.com.br
69.162.122.215 www.hotmail.com.br
69.162.122.215 login.live.com
69.162.122.215 live.com
69.162.122.215 naotempreco.com.br
69.162.122.215 www.naotempreco.com.br
69.162.122.215 mastercard.com
69.162.122.215 www.mastercard.com
69.162.122.215 mastercard.com.br
69.162.122.215 www.mastercard.com.br
69.162.122.215 itau.com.br
69.162.122.215 www.itau.com.br
69.162.122.215 bancoitau.com.br
69.162.122.215 www.bancoitau.com.br
69.162.122.215 itaupersonnalite.com.br
69.162.122.215 www.itaupersonnalite.com.br
69.162.122.215 personnalite.com.br
69.162.122.215 www.personnalite.com.br
69.162.122.215 pagseguro.com.br
69.162.122.215 www.pagseguro.com.br
69.162.122.215 pagseguro.com
69.162.122.215 www.pagseguro.com
69.162.122.215 pagseguro.uol.com.br
69.162.122.215 www.pagseguro.uol.com.br
69.162.122.215 paypal.com
69.162.122.215 www.paypal.com
69.162.122.215 paypal.com.br
69.162.122.215 www.paypal.com.br
69.162.122.215 bradesco.com.br
69.162.122.215 www.bradesco.com.br
69.162.122.215 bradesco.com
69.162.122.215 www.bradesco.com
69.162.122.215 bancobradesco.com.br
69.162.122.215 www.bancobradesco.com.br
69.162.122.215 bancobradesco.com
69.162.122.215 www.bancobradesco.com
69.162.122.215 bradescoprime.com.br
69.162.122.215 www.bradescoprime.com.br
69.162.122.215 bancobradescoprime.com.br
69.162.122.215 www.bancobradescoprime.com.br
69.162.122.215 bancobradescoprime.com
69.162.122.215 www.bancobradescoprime.com
69.162.122.215 bradescoprivatebank.com.br
69.162.122.215 www.bradescoprivatebank.com.br
69.162.122.215 bradescoprivatebank.com
69.162.122.215 www.bradescoprivatebank.com
69.162.122.215 serasa.com.br
69.162.122.215 www.serasa.com.br
69.162.122.215 serasaexperian.com.br
69.162.122.215 www.serasaexperian.com.br
69.162.122.215 serasa.com
69.162.122.215 www.serasa.com
69.162.122.215 serasaexperian.com
69.162.122.215 serasaexperian.com.br
69.162.122.215 bancoreal.com.br
69.162.122.215 www.bancoreal.com.br
69.162.122.215 real.com.br
69.162.122.215 www.real.com.br
69.162.122.215 santander.com.br
69.162.122.215 www.santander.com.br
69.162.122.215 bancosantander.com.br
69.162.122.215 www.bancosantander.com.br
69.162.122.215 internetbanking.caixa.gov.br
69.162.122.215 www.caixa.com.br
69.162.122.215 www.caixa.gov.br
69.162.122.215 www.caixaeconomica.com.br
69.162.122.215 www.caixaeconomica.gov.br
69.162.122.215 www.caixaeconomicafederal.com.br
69.162.122.215 www.caixaeconomicafederal.gov.br
69.162.122.215 www.cef.com.br
69.162.122.215 www.cef.gov.br
69.162.122.215 caixa.com.br
69.162.122.215 caixa.gov.br
69.162.122.215 caixaeconomica.com.br
69.162.122.215 caixaeconomica.gov.br
69.162.122.215 caixaeconomicafederal.com.br
69.162.122.215 caixaeconomicafederal.gov.br
69.162.122.215 cef.com.br
69.162.122.215 cef.gov.br

This hosts file causes all of the above sites to point to the IP address of a malicious web server (69.162.122.215). The malicious web server hosts a copy of pages at each of the original sites listed above. It should be noted that none of the redirected sites use the HTTPS protocol for secure communication.

The screenshot below shows a non-https brazilian copy of paypal.com hosted on the malicious webserver:

Upon entering the username and password the following messagebox is displayed:

The screenshot below shows the default malicious page loaded for mastercard.com. This page requests credit card information in order to obtain certain benefits:

Upon submitting the requested information the following page is displayed:

Translation:

Congratulations, your MasterCard was successfully registered in our database!
Now you compete for prizes every month up to $ 500,000.00 (Five Hundred Thousand Dollars), and $ 50.00 each in
purchases made ​​with your MasterCard, you earn 01 point to exchange for goods or services
our partners.
Warning: Though it was already participating in, your login will be released only after the next billing cycle.

SonicWALL Gateway AntiVirus provid
es protection against this threat via the following signature:

• GAV: Delf.EP (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.