Banking Malware surfaces in South America
Contributed by: Email on 05/22/2012 02:33 PM
[
Comments
]
Malware that masquerades like the Google Chrome installer is actually stealing data and stripping software used to protect online banking. It presently is targeting users in Peru and Brazil.
Trend Micro researchers report in a blog post that they have discovered a malicious file called ChromeSetup.exe hosted in domains such as Facebook, MSN, Globo.com, Terra.com and Google. Most appear tied to Brazil since .br or br. appears in the URLs.
This particularly nasty bit of malware, once downloaded, relays an infected machine's IP address and OS to a C&C server. If a user tries to access a legit bank site, the Trojan TSPY_Banker.EUIQ intercepts the page request and displays a "Loading system security" dialog box. What it really is doing is redirecting the user to a fake banking site.
To aid in a data heist, another component of the Banker malware, as it's called, uninstalls software called GbPlugin, which is designed to protect Brazilian bank customers during online banking. "It does this through the aid of gb_catchme.exe a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas," according to threats analyst Brian Cayanan.
"It looks like this malware is still under development and we may still see improvements in future variants. Roland (de la Paz) also mentions that he came across a likely related C&C that surface last October 2011, which indicates that the perpetrators behind this threat arent new in the scene," wrote Cayanan, who also worked with a third researcher, Roddell Santos, on the Banker malware investigation.
"While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware," Cayanan wrote. "We will continue our investigation related to this incident and will update this blog with our findings.
"Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google."
The legit download for Chrome is Here.
Trend Micro researchers report in a blog post that they have discovered a malicious file called ChromeSetup.exe hosted in domains such as Facebook, MSN, Globo.com, Terra.com and Google. Most appear tied to Brazil since .br or br. appears in the URLs.
This particularly nasty bit of malware, once downloaded, relays an infected machine's IP address and OS to a C&C server. If a user tries to access a legit bank site, the Trojan TSPY_Banker.EUIQ intercepts the page request and displays a "Loading system security" dialog box. What it really is doing is redirecting the user to a fake banking site.
To aid in a data heist, another component of the Banker malware, as it's called, uninstalls software called GbPlugin, which is designed to protect Brazilian bank customers during online banking. "It does this through the aid of gb_catchme.exe a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas," according to threats analyst Brian Cayanan.
"It looks like this malware is still under development and we may still see improvements in future variants. Roland (de la Paz) also mentions that he came across a likely related C&C that surface last October 2011, which indicates that the perpetrators behind this threat arent new in the scene," wrote Cayanan, who also worked with a third researcher, Roddell Santos, on the Banker malware investigation.
"While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware," Cayanan wrote. "We will continue our investigation related to this incident and will update this blog with our findings.
"Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google."
The legit download for Chrome is Here.
Comments
