New Banker Trojan redirects credentials to remote server

November 8, 2011

The Sonicwall UTM research team received reports of a new Banking Trojan in the wild. Banking Trojans steal logon credentials and target specific banks. This Banking Trojan targets users of ITAU bank based in Brazil. The Trojan steals bank logon credentials by redirecting traffic through a remote webserver.

The Trojan adds the following files to the filesystem:

  • {run location}abcde.txt [Detected as GAV: Banker.ITC (Trojan)]
  • C:Documents and SettingsAll UsersApplication Databola7.txt [Detected as GAV: Banload.QLO_2 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataclear.exe [Detected as GAV: Banker.SMY_4 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datacrsrc.exe [Detected as GAV: Banker.SMY_5 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataiexplore.exe [Detected as GAV: Banker.SMY_6 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datambservice.exe [Detected as GAV: Banker.SMY_7 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datah4714log.txt

h4714log.txt contains the following data:


The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mbservice.exe "C:Documents and SettingsAll UsersApplication Datambservice.exe"

Upon infection the Trojan replaces itself with {run location}abcde.txt and then runs mbservice.exe. mbservice.exe runs in the background inspecting window title strings. It contains code that looks for a specific window title string "BANCO ITAU - FEITO PARA VOCE" running in Internet Explorer.

The Trojan targets users of ITAU bank. Below is a screenshot of their main page:

The Trojan redirects all traffic through a remote webserver and was observed leaking the following data from h4714log.txt:

The Trojan also leaks data typed into the "Agency" and "Account" boxes and passwords using the virtual keyboard:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.QLO_2 (Trojan)
  • GAV: Banker.SMY_4 (Trojan)
  • GAV: Banker.SMY_5 (Trojan)
  • GAV: Banker.SMY_6 (Trojan)
  • GAV: Banker.SMY_7 (Trojan)