New Banker Trojan targeting Brazilian government site (June 28, 2013)
The Dell SonicWALL Threats Research team came across a new Banker Trojan targeting a Brazilian Government Department of Treasury owned electronic invoice website, attempting to steal sensitive user information. The Trojan arrives as a Windows Control Panel Item file and is a UPX packed DLL written in Delphi. It pretends to be a proof of NF-e invoice and executes if the user attempts to open it.
Infection Cycle:
Upon execution, the Trojan checks for the presence of VMWare environment and terminates if detected.
It connects to a remote server in Brazil grupomasterplan.com.br to download multiple malicious executables in an encrypted format. The downloaded files are disguised as JPEG images as seen below:
- GET /IMAGE(REMOVED)/m.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
- GET /IMAGE(REMOVED)/u.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
- GET /IMAGE(REMOVED)/d.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
The following files are dropped on the infected system:
- %Windows%5xpg93.exe [Detected as GAV: Symmi.L_2 (Trojan)]
- %Windows%vj0yn.b1rf5th5 [Detected as GAV: Banker.ZRG (Trojan)]
- C:2013 [File based mutex to ensure it runs only once]
- %USERPROFILE%Start MenuProgramsStartupf7xnd6.LNK [Points to %Windows%5xpg93.exe, esnures infection upon reboot]
The Trojan installs multiple hooks and launches the Brazilian Government Department of Treasury owned website in Internet Explorer as seen below:
Site description in english (Courtesy: Google Translation):
If the user enters the Access-Key and Access-Code information, even though this is the official government website the access information will be compromised because of the hooks installed:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Banload.SEE (Trojan)
- GAV: Banker.ZRG (Trojan)
- GAV: Banload.SSE#enc (Trojan)
- GAV: Symmi.L_2 (Trojan)
