Security researchers have come across a new rootkit that is designed specifically to infect 64-bit Windows systems and steal users’ online banking credentials. It’s believed to be the first piece of malware of its kind that is capable of compromising x64 systems.
The new rootkit is being used by attackers in Brazil as part of drive-by download attacks and is then used to steal banking credentials after the infection. The malware has the ability to change some of the boot configurations of infected machines and then aims to redirect users to phishing sites. The new rootkit can infect machines running either 32-bit or 64-bit versions of Windows.
The drive-by download is accomplished by using a malicious Java applet that is targeted at older versions of the Java Runtime Environment. The applet includes a number of files that each have different jobs to do once they’re on an infected PC, including one that disables the Windows User Account Control mechanism.
“The entire malicious scheme is simple yet interesting. The file
add.reg will disable the UAC (User Account Control) and modify the
Windows Registry by adding fake CAs (Certification Authorities) in the
infected machine,” Kaspersky Lab malware researcher Fabio Assolini said in his analysis of the new rootkit.
“The file cert_override.txt is a fake digital certificate signed by
the fake CA registered in the system. The main purpose of this attack is
to redirect the user to a phishing domain. The fake website will then
show an icon of an https connection, simulated to be the real page of
the bank. This scheme to register a malicious CA in an infected system
has been used by Brazilian bad guys since last year.”
The rootkit also has a file that uses a legitimate Windows component called bcdedit.exe to modify the boot process and add two new drivers to a folder of registered drivers that are allowed to load at boot time. The new drivers, plusdriver.sys and plusdriver64.sys, will then load then next time the infected PC boots and change the host file to redirect the user to a bank phishing domain, Assolini said.
The rootkit mainly is being seen in Brazil right now, a country where the penetration of online banking is extremely high.