One of the main goals of a cybercriminal is to gain total control over a victim’s machine. This is currently done through the use of RATs (remote admin tools) and other methods. The infected computers are used by cybercriminals for all sorts of malicious activity.
It’s no different with Brazilian cybercriminals – they have the same intent, but due to their culture of immediacy their efforts are often focused on creating Trojan bankers, rather than botnets, RATs or other methods of remote control. But this behavior is slowly changing – a recent attack shows they are ready to create a network of local infected machines and take total control of it, stealing personal data and using the infected machines to send spam. They are doing all this in a very creative way: registering a remote user account called ‘Remo’ which is password-protected. Through this account the cybercriminals have total access and control over the infected machine.
The attack starts with an e-mail posing as an alleged update for Flash Player. The downloader will actually install the legitimate Flash Player, but will also download another file that appears in the image below as “ajuda.txt”:
Once downloaded, the .txt file will be renamed to .msi and the files it contains will be installed on the system. Inside the .msi file we found several files:
The first file registered in the system is Play.dll. It calls UNI.exe, a tool called Universal Termsrv.dll Patch – it cracks termsrv.dll, a legitimate DLL of Windows used in remote access. This tool will remove the “Concurrent Remote Desktop sessions limit” patching the DLL and results in the system allowing multi-user login in XP/Vista/7 at the same time. Basically, a concurrent remote desktop session allows several users to connect to a system through the remote desktop feature (MSTSC), also known as Terminal Service. If the feature isn’t activated, the malware changes the key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services and its values to remove all forms of protection.
The malware also changes some keys in Windows Registry to create the user account Remo, for example, the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Remo.
The account ‘Remo’ registered in the infected system as a remote access user
In order to give the attacker total control over the files, the malware also changes the properties of the root folder, sharing all its contents. The files that are installed are executed via network sharing (127.0.0.1\Admin$). It registers some malicious BHOs, each one for a different Brazilian bank: bcef.dll (Caixa Economica), brada.dll (Bradesco), brasil.dll (Banco do Brasil), and bjuri.dll (Bradesco Juridico). The DLLs will be responsible for stealing users’ credentials during access to Internet banking services.
To ensure the malware is active after the next reboot, it registers two job files in the Windows Task Scheduler. These files will call play.dll and update.bat which can download new files to the system.
When accessed by the black hat the infected machine will show on Task Manager the files that are executed by the user “Remo”:
Currently more than 3,300 machines in Brazil are infected and controlled using this technique. To manage the machines the bad guys maintain a page showing the MAC address, the user account, and the date when it was infected. It also shows if a security plug-in used by Brazilian banks is installed:
“_BB_” stands for Banco do Brasil, its there to identify if the infected machine has the bank’s security plug-in installed
Besides having their personal data stolen, the user’s machine will be used by cybercriminals to distribute spam, just like in a botnet. The criminals are selling access to infected machines and charging around U$ 60.00:
“When it comes to sending spam, your problems are over: unlimited Windows Remote MSTSC and SMTP for R$100.00”
If you were a victim of this attack, just go to Start > Run, type control userpasswords2 and delete the account ‘Remo’. All the files installed by this Trojan are detected, blocked and removed by all Kaspersky Lab products.
(Hat tip to Maria Cristina)
Leave a reply