Recently, we have come across a Brazilian trojan horse trying to steal online banking credentials, again. This information is not surprising at all as Brazil is still one of the top countries producing this kind of malware. Quality of these samples varies along with the techniques used to fool the online banking users but the traditional approach is either pretending to be real banking software or a simple redirect from the bank website to the fake one. In either scenario, credentials typed by users end up in the hands of the attacker and can be misused. This particular trojan is no different, but it definitely uses one of the more interesting methods to hide the fact that there is something “phishy” going on with your online banking.

First of all, let’s have a look at the deployment phase, which is quite amateurish. The initial sample is distributed in the form of a CAB/SFX (Self-extracting Cabinet file) archive which contains the following files:

push.exe

- PERL script compiled by Perl2Exe tool. This one is used to launch the following batch file

bat.bat

- very simple batch downloader

wget.exe

- free GNU Wget tool used to download the banking trojan horse

 This whole functionality fits in 1.2MB file?

 

So all this CAB/SFX does is download of another malicious file (the actual banking trojan) and execute it. And there was even space for a mistake in this trivial task! If the  %HOMEPATH% environment variable is set to some path containing spaces (e.g. “\Documents and Settings\User\” on Windows XP ) then this path won’t be correctly parsed, winet.exe will be incorrectly downloaded somewhere else (e.g. “C:\Documents\winet.exe”) and won’t be executed at all.

However, let’s see what happens if the downloader manages to do its job and correctly executes the downloaded sample. The banking trojan horse itself is written in Delphi, which is very popular among Brazilian blackhats, and uses simple timer function to periodically (as fast as possible) perform the following actions:

1) Writes itself to registry, so the malware is always executed when the user logs into the system:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bnb

 

2) Contact its server:

hxxp://kl.no-ip.biz/~axxxxxxy/admin/1gate.php?username=+0.1+&country=Ativado&OS=

 

3) Check the foreground window if it contains one of the following titles:

“Caixa Econômica Federal – Google Chrome”

“Banco Itaú – Feito Para Vocę – Google Chrome”

“HSBC Bank Brasil S.A. – Banco Múltiplo – Google Chrome”

Checks whether online banking is in the foreground

 

As you can see, clients of these three Brazilian banks, who use Google Chrome web browser, are targeted in this case.

If the online banking website is found in the foreground (which means user is using online banking right now) then the more interesting part begins. First of all, a new Internet Explorer_Server class is injected into Chrome’s rendering widget (Chrome_RenderWidgetHostHWND). This is the rectangular area of the Chrome browser where the actual website is being rendered. The following screen captures from Microsoft’s Spy++ utility shows how it is done:

Comparison between unaffected (upper) and injected (lower) Chrome renderer widget 

 

After this injection, a fake copy of the bank’s website is loaded and displayed in this injected Internet Explorer_Server window. This action alters only the rendering area of the Chrome window and leaves all other parts such as tabs, title and address bar unaffected! It means that you see the fake website displayed but the title and URL still belongs to the real bank.

This makes it really difficult to distinguish whether you are on a real website or its fake copy. In this case, the difference can be spotted when you right-click somewhere into the loaded website. Injected Chrome shows a context menu typical for Internet Explorer rather than Chrome browser as you are actually clicking to Internet Explorer_Server (even that it is within the Chrome browser):

 

Comparison between genuine bank site (upper) and the fake one (lower)

 

As you can see, it is really hard to tell, which one is fake and which one is genuine. And the address bar is not helping at all in this case. In fact, the fake variant is the exact copy of the real bank site created by HTTrack Website Copier/3.x software. You can even see its signature in the header of the fake website:

Comparison between genuine bank site (upper) and the fake one (lower)

 

Of course, scripts for processing credentials are changed and online banking information typed by users is sent to the attacker rather than to the bank. One of the following websites is loaded instead of the real bank depending on the window title:

hxxp://kl.no-ip.biz/~axxxxxxy/FAKES/CAIXA/

hxxp://kl.no-ip.biz/~axxxxxxy/FAKES/ITAU/

hxxp://kl.no-ip.biz/~axxxxxxy/FAKES/HSBC/

The downloader part is detected by AVG as Trojan horse Downloader.Generic_c.DWB and the banking trojan itself as Trojan horse PSW.Delf.HOM.

Checksums of both samples are:

8C3BFFBEBF4D332D639BEB7C92D31D85

52FDD72281F7EB40816E828624A3EB72

 

Tomas Prochazka