Government Websites of Brazil Compromised for Delivery of Malware; Trend Micro

Trend Micro reports that malware is being served through websites after hackers compromised 2 online sites of the Brazilian government, starting 24th April 2013 and utilizing them for the purpose.

The company detected an aggregate of eleven distinct malicious programs that were getting disseminated from these websites, with the program files named as "upgrade," "update," "FlashPlayer," "Adobe," alternatively their different combinations. Apart from these filenames, there were separate domains for the programs too to which they linked up for pulling down more malware. The filenames further connected to various C&C (command-and-control) systems.

Trend Micro identified that the malicious programs were TROJ_BANDROP.ZIP and that all behaved similarly. The programs planted dual files on visitors' computers namely an .exe file identified to be TSPY_BANKER.ZIP along with one supposed image program (.gif file) identified to be JAVA_BANKER.ZIP within the infected PC's short-lived folder. The malicious .exe file makes changes to the registry of PCs running Windows, so their security software's power is lowered, followed with eventually installing the .gif program file.

Indeed, the .gif file represents one Java file planted with the help of the javaw.exe that's included inside the Java Runtime Scenario. Commands are issued to JAVA_BANKER.ZIP for pulling down and running program files via many pre-set URLs.

Once this malware gains admission into the victim's computer, the end-user loses his administrative privileges to it, thus making the malware dangerous.

Researchers have not indicated the government websites' names that have been hijacked; however, it possibly is certain 'watering hole' scheme designed for controlling PCs of the government's employees, alternatively it maybe one plain information-stealing scam targeting end-users randomly.

The assault chiefly impacts Web-surfers from Brazil, however, a few in USA, Romania, Spain, Angola, amongst others too pulled down the malware that stole sensitive banking data off them.

According to Roddell Santos, Threat Analyst at Trend Micro, it isn't anything new to have government websites compromised for serving malware. The trick helps in leveraging an especial socially-engineered technique, since people consider government websites as secure. However, the current incident quite well suggests that nothing is sacred during leveraging of cyber-crime, Santos concludes. Softpedia.com published this dated May 28, 2013.

» SPAMfighter News - 6/1/2013