The Latest in IT Security

Banker Malware Massively Distributed in Spain

21
Jul
2011

We have been recently notified of a banker malware that is being distributed in Spain. This malware, which Trend Micro detects as TROJ_BANLOD.QSPN, is reported to arrive via mass-mailed spam messages that pretend to be coming from the National Police of Spain. The email contains a link which leads to download TROJ_BANLOD.QSPN – a downloader that downloads to TSPY_BANCOS.QSPN.

One thing we’ve noticed in this particular attack is it uses compromised sites for its malicious operations. The download sites and phone home URLs are all legitimate URLs containing specific directories and contents that is used for this attack. Furthermore, TSPY_BANCOS.QSPN obtains the phone home URLs in the site http://{BLOCKED}s:81/images/cancel.txt.

This makes the phone home URLs dynamic, as the content of this site can be updated anytime. It is also worth mentioning that the phone home URLs, where this site points to, are also compromised and contain specific malicious PHP script that is responsible for transmitting the phone home report to the actual malicious server. These routines effectively conceal the identity of the perpetrators behind this attack.

As for the payload, TSPY_BANCOS.QSPN monitors the address bar of Internet Explorer and Mozilla Firefox for strings that are related to specific financial firms based in Spain:

  • Banco Popular
  • Bankinter
  • Cajasol
  • Caixa
  • Wester Union

If found, TSPY_BANCOS.QSPN recreates a fake page for phishing. For example, if an infected user tries to visit any of these official sites, the malware hides the original browser and instead displays a fake page, it’s contents depending on which bank the found strings are related to. The following is the displayed pages if strings related to Cajasol are found:

Click for larger view

It also attempts to get the card code/signature of the user:

Click for larger view

Although the page may look professional, the page is actually just a whole image and one cannot really click on anything aside from the log in/input section. Once a user provides all the needed information, the malware sends these to a hardcoded email address in its body, which eventually end up in the hands of cybercriminals.

Trend Micro already blocks the links to the related malicious URLs via the Trend MicroT Smart Protection NetworkT.

While this attack may appear to be concentrated in Spain, users should be equally vigilant and familiar with such frauds. Similar attacks and other threats may already be on their way: mailbox, web searches, or to popular social networking sites. No one knows who can be the next victim. Always remember, that user awareness is key and may even be better than any technical solutions out there.

The National Police of Spain also posted a bulletin, warning users of this ruse.

Leave a reply


Categories

WEDNESDAY, DECEMBER 13, 2017

Featured

Archives

Latest Comments

Social Networks