ESET Research Lab in Latin America has been analyzing an interesting form of banking Trojan that is spreading in Brazil. According to findings of our research, the banking Trojan was spreading using social engineering techniques to infect user’s PC. More interestingly, it used a Brazilian government server to collect the victim's information and has used Google Chrome™ browser plugins to steal sensitive data. Among the data it collected was Brazilian personal ID number, passwords and PIN or 4-digit validation number of cash cards and account numbers. However, thanks to ESET research and co-operation with Brazilian authorities and Yahoo!, this threat is not active anymore.
“In this case, the malicious code used a server without having to infect it, since the server lacked the adequate controls to prevent being misused by a third party. Consequently, the cybercriminal seeked anonymity and tried to access all possible functions provided by legitimate servers in order to dispel any kind of suspicion, given the good reputation of the server,“ says Sebastian Bortnik, Education & Research Manager for ESET Latin America. ESET detects this specific banking trojan as JS/Spy.banker.G.
The malware propagates through an executable using social engineering techniques in order to affect as many users as possible. This executable is a dropper, which is a file that installs (or "drops") other files into the system so that the malware can reach its full operational capabilities. The file analyzed by the ESET Latin America's Research Lab was developed in .NET, the popular Microsoft development framework. “The fact that it uses a Chrome extension for data theft has a direct impact on the victim, since in this case it is no longer the operating system that is being infected, but the browser itself,” ellaborates Bortnik on what the malware does next. These browser extension is vital for the data theft to take place.
Full technical analysis of this malware is available in a paper “What does a banking Trojan, Chrome and a government mail server have in common?” that can be found at WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips.