A new malware strain has been uncovered that steals information through phishing and by imitating bank webpages.
According to Zscaler researchers, it tracks for certain URLs—including those for Mexico’s second largest bank, Banamex—in order to intercept the websites and replace them with proxies. It does this using popular application library Fiddler—and it’s constantly updating its targeted domains.
Zscaler ThreatLabZ found the Trojan, written in .NET, in April. The researchers said that the baddie is of Spanish origin, and was first noted targeting users in the US and Mexico.
“Mexico's second largest bank—Banamex, appears to be the main target of this Infostealer Trojan for credential theft and financial fraud,” the researchers said in an analysis. “However, the authors can easily add more targets given that they are actively updating the list every 10 minutes.”
As with most attacks these days, the infection cycle starts with a bit of social engineering. Phishing emails contain an installer payload with a double extension, “curp.pdf.exe,” in a relatively poor attempt to pose as a PDF document to the end user. The malware payload does not have the PDF file icon embedded in it, so the user will see the document file with a generic application icon.
Once the victim clicks on it, the installer executes and downloads the payload that steals the banking credentials; the legitimate Fiddler Proxy Engine for .NET applications that the malware authors are using in the main Infostealer functionality; and an open-source JSON framework that they use for parsing Command & Control (C&C) server response data and converting it into XML format.
Once the program has been downloaded, it establishes itself on the computer and sets itself up to remain active by creating an autostart registry key entry on computers running Windows XP. Then the malware uses Json.NET, a legitimate .NET Class library, to collect information such as “MachineName”, “UserName”, “systeminfo” and “hostip.”
The C&C server sends a configuration file that contains a list of domain to IP tuples that are primarily used by the infostealer to hijack user requests to the banking domains; they then redirect them to a malicious server hosting a fake phishing site for the targeted domain, where victims are encouraged to enter their credentials.
“We regularly see multiple .NET based malware payloads but this particular infostealer Trojan caught our attention because of the use of popular application libraries like Fiddler and Json.NET in its operation,” the researchers said.
Photo © Franck Boston