New banker Trojan steals information via compromised webservers (Aug 10, 2011)


The Sonicwall UTM research team received reports of a new Banking Trojan spreading in the wild. The Trojan spreads through email and steals banking credentials from customers of BBVA bank. The email that is spread falsely reports that the long-time dictator of Cuba, Fidel Castro had died from a sudden heart attack at his residence. The email uses 2 links: “click on the image” and “Play video” that lead to the download of the Trojan executable file:

The links to the Trojan are hosted on compromised webservers:

  • http://www.chem{removed}
  • http://www.ferienwoh{removed}

The downloaded file uses the following icon:

Once run, this initial dropper Trojan adds the following file to the filesystem:

  • C:09342.exe [Detected as GAV: Dapato.HEM (Trojan)]

The following request was observed when obtaining 009342.exe. This file is a spreader Trojan and is downloaded from a predetermined list of compromised remote webservers:

C:09342.exe is executed and makes the following changes to the filesystem:

  • C:Documents and SettingsAll UsersApplication DataLupitaLupita.exe [Detected as GAV: Banker.SKQG (Trojan)]

C:09342.exe makes the following change to the windows registry to enable startup of the main banking Trojan:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “C:Documents and SettingsAll UsersApplicationDataLupitaLupita.exe”

C:09342.exe was also seen scanning all directories on the filesystem for .dbx files in an attempt to gather email addresses for further spreading.

The dropped executable (Lupita.exe) is the main banker Trojan. The Trojan binary contains the following links:

  • http://www.hidro{removed}
  • http://www.holi{removed}.info/features/addo.php
  • http://h1655219.stra{removed}.net/wework/js/addo.php
  • http://www.hippodr{removed}.com//Hippodrome/Les_partenaires/del.php
  • http://www.houseimm{removed}.it/php/del.php
  • http://icomiarr{removed}.net//del.php
  • http://www.ihp-e{removed}.be/espoir/wii.php
  • http://www.hw{removed}.com/modules/wii.php
  • http://www.f{removed}.at//newpics/tr/up7.exe.bak
  • http://mox{removed}.vn//images/up7.exe.bak
  • http://www.flc{removed}
  • http://www.marath{removed}.com//images/sd/up7.exe.bak
  • http://www.ecuriesdupa{removed}.com//agb/config/up7.exe.bak
  • http://www.designs{removed}.com/portfolio/we/up7.exe.bak

The links are used for receiving stolen banking credentials from the Trojan.

Lupita.exe uses the following icon:

After reboot and an undertermined period of time the Trojan (Lupita.exe) will spawn a BBVA bank login page in place of the Windows desktop background. The page cannot be closed unless the process is killed:

In an attempt to appear legitimate, the page contains genuine warnings about online banking security. One warning roughly translates to:

  • "If you get a few emails or enter a screen where you apply all your card numbers secure password, do not give any help and contact information online at 600 600 1100"

The page does however ask for your BBVA bank logon credentials. This information is posted to a remote webserver:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banker.SKQG (Trojan)
  • GAV: Dapato.HEM (Trojan) (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.