New Banker Trojan targeting Brazilian government site

June 28, 2013

The Dell SonicWALL Threats Research team came across a new Banker Trojan targeting a Brazilian Government Department of Treasury owned electronic invoice website, attempting to steal sensitive user information. The Trojan arrives as a Windows Control Panel Item file and is a UPX packed DLL written in Delphi. It pretends to be a proof of NF-e invoice and executes if the user attempts to open it.

Infection Cycle:

Upon execution, the Trojan checks for the presence of VMWare environment and terminates if detected.

It connects to a remote server in Brazil to download multiple malicious executables in an encrypted format. The downloaded files are disguised as JPEG images as seen below:

  • GET /IMAGE(REMOVED)/m.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
  • GET /IMAGE(REMOVED)/u.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
  • GET /IMAGE(REMOVED)/d.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]

The following files are dropped on the infected system:

  • %Windows%5xpg93.exe [Detected as GAV: Symmi.L_2 (Trojan)]
  • %Windows%vj0yn.b1rf5th5 [Detected as GAV: Banker.ZRG (Trojan)]
  • C:2013 [File based mutex to ensure it runs only once]
  • %USERPROFILE%Start MenuProgramsStartupf7xnd6.LNK [Points to %Windows%5xpg93.exe, esnures infection upon reboot]

The Trojan installs multiple hooks and launches the Brazilian Government Department of Treasury owned website in Internet Explorer as seen below:

Site description in english (Courtesy: Google Translation):

If the user enters the Access-Key and Access-Code information, even though this is the official government website the access information will be compromised because of the hooks installed:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.SEE (Trojan)
  • GAV: Banker.ZRG (Trojan)
  • GAV: Banload.SSE#enc (Trojan)
  • GAV: Symmi.L_2 (Trojan)