We recently discovered a file sitting on Dropbox which turned out to be a very good way to give your PC a very bad hair day. The file is now inaccessible – the page gives the following message:
Restricted Content
This file is no longer available. For additional information contact Dropbox Support.
However, we thought it’d be interesting to take a look at the rather unfortunate situation facing an end-user running the malicious file.
The file in question is called “Fotos.com”, which is – as you’ve likely guessed – a .com file, favoured by scammers as a way of confusing end-users into running malicious payloads.
Quite often, a file called “fotos” that harbours bad intentions tends to fall under the Banking Trojan umbrella, usually aimed at Brazilian banks. Here, we see a familiar pattern:
The .com file is UPX packed which helps the Malware writer to hide away some of the finer details, so unpacking it and taking a peek under the bonnet is rather productive.
Quicker than Mills can ask “What’s in the box”, we have this appear on the test machine:
The real ctfmon – not pictured – activates alternative user input and the Microsoft Office language bar. That thing above? It’s a Lovecraftian bag of horror and tentacles, waiting to disable your firewall and antivirus notifications, hook your keyboard, set up a proxy and drop a couple of files in your Temp folder. After the file executes, it deletes itself and the end-user will see IE open up on their desktop, with 94(dot)23(dot)245(dot)228 in the URL bar followed by their Username and Computer Name:
Click to Enlarge
Elsewhere in the Temp folder, a couple of files lurk – one is a .txt file bearing the Username, the other a file called Thunb.db which has an appropriately dreadful file size:
Click to Enlarge
Yes, that does say 666 bytes. The .txt file contains a list of notable quotable keywords, along with some obfuscated Javascript which is used as a Proxy Auto-config to listen out for those words then redirect traffic through the attacker’s proxy server. This has been a favoured technique of Banking Trojans for some time, and can also be used for Phishing.
Click to Enlarge
Alongside banks, you’ll also see services such as Gmail, Hotmail and Paypal mentioned. The full list reads as follows:
. itau.com.br
. itaupersonnalite.com.br
. bradesco.com
. bradesco.com.br
. bradesco.com.br
. bradescoprime.com.br
. bb.com
. bb.com.br
. bancodobrasil.com.br
. santander.com.br
. santanderbanespa.com.br
. sicredi.com.br
. credicard.com.br
. cetelem.com.br
. serasa.com.br
. serasaexperian.com.br
. citibank.com.br
. hsbc.com.br
. gmail.com
. gmail.com.br
. hotmail.com
. hotmail.com.br
. tam.com.br
. real.com.br
. bancoreal.com.br
. real.com.br
. tam.com.br
. paypal.com.br
. paypal.com
. santanderempresarial.com.br
. americanexpress.com.br
. americanexpress.com
. hsbc.com.br
. hsbc.com
. itauuniclass.com.br
. itauuniclass.com
. www.itauprivatebank.com.br
. itauprivatebank.com.br
When any of the above catch the attention of the Malware, it gives the following command:
PROXY dnsResolve(‘[Proxy Server]‘):80
Clearly, this is the “everything including the kitchen sink” approach and I’m sure you’ll agree its a rather nasty file to have on your PC by any stretch of the imagination. The VirusTotal score for Fotos.com is 24/42, and we detect it as Trojan.Win32.Generic!BT.
Christopher Boyd (Thanks to Jovi, James, Berman, Reginald and Francesco for additional information).
Leave a reply
