South American Banks Targeted with New Stealthy Banker Trojan

According to Cisco Talos, cyber-criminals are intensively targeting banks of South America with the aim to capture accountholders' credentials using a stealthy code functioning as a banker Trojan. The victims' computers are being infected via different techniques of redirection. A number of anti-analysis methods are also being employed. The criminals' ultimate payload is programmed with the Delphi computer language. The malware, says Talos, is pretty distinct from the usual banking Trojans.

The crooks use spam mails to run their campaign and write the messages in Portuguese language. The messages feign to present certain Boleto invoice similar as a PayPal bill. This invoice maliciously triggers a process which eventually plants the banker Trojan. Further, the Trojan remains concealed via employing a variety of methods. It therefore rings alarm so Information Technology decision makers require remaining watchful about the dangers emanating from rapidly changing malware techniques as well as making sure that employees across banking institutions adopt established best practices.

The malicious invoice presents one URL which diverts end-users onto certain condenser of goo.gl URL followed with directing them towards certain RAR archive which harbors one JAR file. On clicking this JAR file certain Java process gets started off which activates the harmful code to plant the Trojan.

The Java process establishes the malware while sets a connection with some distant server for pulling down various supplementary files. Subsequently, the earlier pulled down binaries' names are changed followed with triggering an authentic binary that sports digital signature and is taken from VMware. The said binary called vm.png so dupes anti-malware software that the latter without knowing reposes faith in the banker Trojan's subsequent actions. Securityintelligence.com posted this on the Web dated October 3, 2017.

According to further reports by Talos group of researchers, another binary the banker malware utilizes comes packaged with Themida a software safeguard tool that tricks specialists enough to fail them isolate the threat.

As for established best practices in complement to the most recent threat, employees should carefully view attachments and click on web-links, avoid taking down content from unknown online sites, while ensure installation of AV programs.

» SPAMfighter News - 10/9/2017