New Banker Trojan targeting Brazilian government site (June 28, 2013)


The Dell SonicWALL Threats Research team came across a new Banker Trojan targeting a Brazilian Government Department of Treasury owned electronic invoice website, attempting to steal sensitive user information. The Trojan arrives as a Windows Control Panel Item file and is a UPX packed DLL written in Delphi. It pretends to be a proof of NF-e invoice and executes if the user attempts to open it.

Infection Cycle:

Upon execution, the Trojan checks for the presence of VMWare environment and terminates if detected.

It connects to a remote server in Brazil to download multiple malicious executables in an encrypted format. The downloaded files are disguised as JPEG images as seen below:

  • GET /IMAGE(REMOVED)/m.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
  • GET /IMAGE(REMOVED)/u.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
  • GET /IMAGE(REMOVED)/d.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]

The following files are dropped on the infected system:

  • %Windows%5xpg93.exe [Detected as GAV: Symmi.L_2 (Trojan)]
  • %Windows%vj0yn.b1rf5th5 [Detected as GAV: Banker.ZRG (Trojan)]
  • C:2013 [File based mutex to ensure it runs only once]
  • %USERPROFILE%Start MenuProgramsStartupf7xnd6.LNK [Points to %Windows%5xpg93.exe, esnures infection upon reboot]

The Trojan installs multiple hooks and launches the Brazilian Government Department of Treasury owned website in Internet Explorer as seen below:

Site description in english (Courtesy: Google Translation):

If the user enters the Access-Key and Access-Code information, even though this is the official government website the access information will be compromised because of the hooks installed:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.SEE (Trojan)
  • GAV: Banker.ZRG (Trojan)
  • GAV: Banload.SSE#enc (Trojan)
  • GAV: Symmi.L_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.