Posted by on Jul 28, 2016
|Name of the threat||Level of prevalence|
In particular, at ESET's Research Lab we have seen a malware campaign in which the threats are being hosted on the MEO cloud service, which is based in Portugal; in most cases, these are banking trojans. The propagation method is via emails with a link to download the malware.
We can take one of those files as an example: Boleto_NFe_1405201421.PDF.js, detected by ESET as VBS/Obfuscated.G.
Although the script code is obfuscated, the encryption used is easy to reverse. Even without decrypting, we can see that a file disguised as a .jpg file is downloaded to the ProgramData folder under the name flashplayer.exe, and is then executed.
This file – flashplayer.exe – is in turn a banking trojan downloader, which downloads and runs a third executable named Edge.exe. This executable is detected as a Win32/Spy.KeyLogger.NDW variant; however, apart from recording the keystroke events, it has all the functionalities of a banker. Among its many features, it obtains the address of the website the user is visiting and checks it against a list of banking websites, using DDE, as we described in the article 'Cómo reconstruir lo que envía un troyano desde un sistema infectado' (How to Rebuild What a Trojan Sends From an Infected System).
The difference is that, this time, the trojan includes code for a larger number of browsers including:
The strings are encrypted with a custom XOR-based algorithm; some of them can be seen below. It is clearly trying to steal access credentials for Brazilian banking sites.
We can see how cybercrime is evolving in Brazil, migrating to new platforms and using various programming languages in its attempt to evade detection. Its goals, however, have not changed that much – stealing banking credentials is still the most profitable attack and is therefore the most common.