A new run of Spy Banker banking malware infections has been targeting Portuguese-speaking victims in Brazil.
While Spy Banker is an old threat, dating back to 2009 according to some security companies, the latest wrinkle attackers are taking is a new one.
The campaign, spotted by researchers at Zscaler, spreads primarily over social media—Facebook for the most part—and uses convincing social engineering to trick users into clicking shortened Bit.ly URLs over the promise of coupons, vouchers or premium software downloads. A number of victims were also compromised by drive-by downloads.
The shortened URLs instead point to a server hosted on Google’s cloud platform where the Spy Banker downloader is installed on the victim’s machine. The downloader then grabs the Spy Banker Trojan Telax, whose aim is to steal online banking credentials.
Kaspersky Lab security researcher Fabio Assolini said the use of social engineering and Facebook in particular is effective because it plays on the user’s trust of messages coming from the social networking platform.
“Actually Brazilian bad guys are hungry for free hosting and abuse several services to host their files there: Google Docs, Dropbox, Sugarsync and many others – but using Facebook.com was new,” Assolini said.
Zscaler’s report, published today, shares one example where the bit.ly link points to a PHP files that’s hosted on a Google Cloud server. The PHP file then does a 302 redirect to download the first stage of the attack, the downloader. The executable, in this case, poses as a link to Brazil’s online federal tax return service, but others pretend to be anything from free antivirus software, WalMart, WhatsApp.
Zscaler said this particular bit.ly link had been clicked more than 103,000 times from the time it surfaced Oct. 20 through Nov. 30—and 102,000 of those links came from Facebook.
Zscaler also shared five domains that were linking to the Telax payload, also hosted on Google cloud servers: aquinofinal[.]com; aquiredire[.]com; brasildareceita[.]com; mundodareceita[.]com; ofertasplusdescontos[.]com. All five domains, Zscaler said, have been taken down by their registrar, GoDaddy. One other domain registered to the same person, ofertasmaxdescontos[.]com, remains active.
“It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message,” Zscaler said, adding that by far, most of the victims have been in Brazil, with a few others in the United States and Portugal.
As for the Telax payload, Zscaler said it is a Delphi executable that steals banking credentials. It injects malicious code into legitimate Visual Basic Compiler processes, that checks for the presence of virtual machines before executing.
Zscaler uncovered a number of features native to the malware, including a VM block command, infection commands, update commands, version and port activity trackers and more.
Once it establishes a connection to command-and-control servers, the attackers are able to send through any number of commands that fetch system information, push through new malware, in addition to phony two-factor authentication panels that can be used to trick users into giving up second-factor credentials.