New Banker Trojan redirects credentials to remote server (Nov 3, 2011)

By

The Sonicwall UTM research team received reports of a new Banking Trojan in the wild. Banking Trojans steal logon credentials and target specific banks. This Banking Trojan targets users of ITAU bank based in Brazil. The Trojan steals bank logon credentials by redirecting traffic through a remote webserver.

The Trojan adds the following files to the filesystem:

  • {run location}abcde.txt [Detected as GAV: Banker.ITC (Trojan)]
  • C:Documents and SettingsAll UsersApplication Databola7.txt [Detected as GAV: Banload.QLO_2 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataclear.exe [Detected as GAV: Banker.SMY_4 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datacrsrc.exe [Detected as GAV: Banker.SMY_5 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataiexplore.exe [Detected as GAV: Banker.SMY_6 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datambservice.exe [Detected as GAV: Banker.SMY_7 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datah4714log.txt

h4714log.txt contains the following data:

      tipo=inf
      nomepc={USERNAME}
      mac=08-00-27-{removed}

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mbservice.exe “C:Documents and SettingsAll UsersApplication Datambservice.exe”

Upon infection the Trojan replaces itself with {run location}abcde.txt and then runs mbservice.exe. mbservice.exe runs in the background inspecting window title strings. It contains code that looks for a specific window title string “BANCO ITAU – FEITO PARA VOCE” running in Internet Explorer.

The Trojan targets users of ITAU bank. Below is a screenshot of their main page:

The Trojan redirects all traffic through a remote webserver and was observed leaking the following data from h4714log.txt:

The Trojan also leaks data typed into the “Agency” and “Account” boxes and passwords using the virtual keyboard:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.QLO_2 (Trojan)
  • GAV: Banker.SMY_4 (Trojan)
  • GAV: Banker.SMY_5 (Trojan)
  • GAV: Banker.SMY_6 (Trojan)
  • GAV: Banker.SMY_7 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.