New banker Trojan steals information via compromised webservers

August 11, 2011

The Sonicwall UTM research team received reports of a new Banking Trojan spreading in the wild. The Trojan spreads through email and steals banking credentials from customers of BBVA bank. The email that is spread falsely reports that the long-time dictator of Cuba, Fidel Castro had died from a sudden heart attack at his residence. The email uses 2 links: "click on the image" and "Play video" that lead to the download of the Trojan executable file:

The links to the Trojan are hosted on compromised webservers:

  • http://www.chem{removed}
  • http://www.ferienwoh{removed}

The downloaded file uses the following icon:

Once run, this initial dropper Trojan adds the following file to the filesystem:

  • C:09342.exe [Detected as GAV: Dapato.HEM (Trojan)]

The following request was observed when obtaining 009342.exe. This file is a spreader Trojan and is downloaded from a predetermined list of compromised remote webservers:

C:09342.exe is executed and makes the following changes to the filesystem:

  • C:Documents and SettingsAll UsersApplication DataLupitaLupita.exe [Detected as GAV: Banker.SKQG (Trojan)]

C:09342.exe makes the following change to the windows registry to enable startup of the main banking Trojan:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "C:Documents and SettingsAll UsersApplicationDataLupitaLupita.exe"

C:09342.exe was also seen scanning all directories on the filesystem for .dbx files in an attempt to gather email addresses for further spreading.

The dropped executable (Lupita.exe) is the main banker Trojan. The Trojan binary contains the following links:

  • http://www.hidro{removed}
  • http://www.holi{removed}.info/features/addo.php
  • http://h1655219.stra{removed}.net/wework/js/addo.php
  • http://www.hippodr{removed}.com//Hippodrome/Les_partenaires/del.php
  • http://www.houseimm{removed}.it/php/del.php
  • http://icomiarr{removed}.net//del.php
  • http://www.ihp-e{removed}.be/espoir/wii.php
  • http://www.hw{removed}.com/modules/wii.php
  • http://www.f{removed}.at//newpics/tr/up7.exe.bak
  • http://mox{removed}.vn//images/up7.exe.bak
  • http://www.flc{removed}
  • http://www.marath{removed}.com//images/sd/up7.exe.bak
  • http://www.ecuriesdupa{removed}.com//agb/config/up7.exe.bak
  • http://www.designs{removed}.com/portfolio/we/up7.exe.bak

The links are used for receiving stolen banking credentials from the Trojan.

Lupita.exe uses the following icon:

After reboot and an undertermined period of time the Trojan (Lupita.exe) will spawn a BBVA bank login page in place of the Windows desktop background. The page cannot be closed unless the process is killed:

In an attempt to appear legitimate, the page contains genuine warnings about online banking security. One warning roughly translates to:

  • "If you get a few emails or enter a screen where you apply all your card numbers secure password, do not give any help and contact information online at 600 600 1100"

The page does however ask for your BBVA bank logon credentials. This information is posted to a remote webserver:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banker.SKQG (Trojan)
  • GAV: Dapato.HEM (Trojan) (Trojan)