We have been recently notified of a banker malware that is being distributed in Spain. This malware, which Trend Micro detects as TROJ_BANLOD.QSPN, is reported to arrive via mass-mailed spam messages that pretend to be coming from the National Police of Spain. The email contains a link which leads to download TROJ_BANLOD.QSPN – a downloader that downloads to TSPY_BANCOS.QSPN.
One thing we’ve noticed in this particular attack is it uses compromised sites for its malicious operations. The download sites and phone home URLs are all legitimate URLs containing specific directories and contents that is used for this attack. Furthermore, TSPY_BANCOS.QSPN obtains the phone home URLs in the site http://{BLOCKED}s:81/images/cancel.txt.
This makes the phone home URLs dynamic, as the content of this site can be updated anytime. It is also worth mentioning that the phone home URLs, where this site points to, are also compromised and contain specific malicious PHP script that is responsible for transmitting the phone home report to the actual malicious server. These routines effectively conceal the identity of the perpetrators behind this attack.
As for the payload, TSPY_BANCOS.QSPN monitors the address bar of Internet Explorer and Mozilla Firefox for strings that are related to specific financial firms based in Spain:
- Banco Popular
- Bankinter
- Cajasol
- Caixa
- Wester Union
If found, TSPY_BANCOS.QSPN recreates a fake page for phishing. For example, if an infected user tries to visit any of these official sites, the malware hides the original browser and instead displays a fake page, it’s contents depending on which bank the found strings are related to. The following is the displayed pages if strings related to Cajasol are found:
 |
It also attempts to get the card code/signature of the user:
 |
Although the page may look professional, the page is actually just a whole image and one cannot really click on anything aside from the log in/input section. Once a user provides all the needed information, the malware sends these to a hardcoded email address in its body, which eventually end up in the hands of cybercriminals.
Trend Micro already blocks the links to the related malicious URLs via the Trend MicroT Smart Protection NetworkT.
While this attack may appear to be concentrated in Spain, users should be equally vigilant and familiar with such frauds. Similar attacks and other threats may already be on their way: mailbox, web searches, or to popular social networking sites. No one knows who can be the next victim. Always remember, that user awareness is key and may even be better than any technical solutions out there.
The National Police of Spain also posted a bulletin, warning users of this ruse.
Leave a reply
