BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics

Despite the 2016 Olympics coming to a close, cybercriminals remain relentless in using the sporting event as a social engineering hook to distribute a banking Trojan. Earlier this month, we spotted a phishing campaign that led victims to unknowingly download the Banker malware. Although Banker has been in the wild for years, this time we see it using a Dynamic Loading Library (DLL) with malicious exported functions. One of the export calls used is to check if the victimized system is located in Brazil.  If the geolocation points to Brazil, then another malicious file is downloaded.  This particular new routine points to the possibility of the cybercriminals’ intention of riding on the popularity of the Olympics to lure users. Apart from Banker, there are reports indicating that other banking Trojans, are doing the same thing. For instance, Sphinx ZeuS has enhanced its capabilities because of the Olympics.

Attacks banking on the popularity of sporting events are common. Before, the 2014 World Cup and the 2012 Olympics were used as baits to deliver a plethora of security threats such as fake apps, phishing sites, online scams, and banking malware among others.

Riding the Olympics bandwagon

Banker, one of the notorious banking Trojans, has been spotted targeting users who want to watch the 2016 Olympics live. Users or employees are made to believe that there are free tickets waiting for them if they click the link in the spam email with subject, Parabens Voce Acabou De Ganhar 1 Par De Ingressos Para Olimpiadas 2016 (translation: Congratulations You Just Won 2 tickets for the 2016 Olympics). But instead of free tickets, the victims are redirected to hxxp://50[.]116[.]86[.]50/~megad351/clientes/gremiacao/ and hxxp://www.truongtinphat.com/cn/plugins/content/Imprimir_Ingresso_00000736=
63534366355ASDR2016BR.rar respectively. That particular  site leads to the downloader, Banload (detected by Trend Micro as JS_BANLOAD.YJF), which in turn retrieves a variant of the Banker Trojan (detected as TSPY_BANKER.YWNPR).

Our analysis revealed that the configuration file of the malware monitors 4 major and 13 local banks in Brazil, as well as 3 international banks.

Underground market findings

In a country like Brazil where cybercrime training services are offered publicly via the Surface Web, aspiring cybercriminals can easily get tools like banking Trojans and use such tools to leverage the popularity of the Olympics. While banking Trojans have always been a staple product in the Brazilian underground market, it was only in June that we spotted someone peddling banking Trojans as a service.  A cybercriminal dubbed as ‘Ric’ advertised a banking Trojan, and its infrastructure, to aspiring cybercriminals who want to make a name for themselves. Just as some  Brazilian cybercriminals remain unfazed by law enforcement, ‘Ric’ also posted his ads via YouTube.

Other standard products in the Brazilian cybercriminal underground are banking and carding training services, priced at R$1.499,00 (US$470.16, as of Aug. 16, 2016). Advertisements offering such services typically emerge immediately after being taken down by the Computer Security Incident Response Team (CSIRT). We also noticed that the price of the training on carding  had increased, possibly because many bad guys have become interested and so a higher demand for it was created.

fig2_bankingad_brUG

Figure 1. Banker training ad

fig3_bankingtraining_BR_UG

Figure 2. Topics cover under the banker training

The ad above offers training to cybercriminal wannabes who want to perform banking Trojan-related attacks. The same ad offers a wide array of tutorials that will equip any aspiring cybercriminal with the knowledge on banking Trojan development as well as tips on general carding and banking operations.

Some of the topics included in the training will provide information on how to set up a C&C server, configure malware kits, and develop keylogger and phishing pages.

fig4_cardingad_BR_UG

Figure 3. Carding training ad

A typical carding training covers topics on how to clone credit cards, how to gather affected users’ banking credentials, and how to use malware and botnet among others.

Best practices and recommendations

Sports enthusiasts and fans who wish to watch and enjoy similar events, like the Olympic Games, must exercise caution when faced with deals that are too good to be true. Being cautious of such social engineering lures can help lower the risk of falling into a trap that will either take their credentials and personal information or infect their systems and devices with malware.

For employees of small businesses and enterprises, Olympics-related threats like Banker could mean introducing risks to the company network. Although employees are often considered the “weakest link in security,” educating employees through a security awareness program that will describe how threats take advantage of sporting events can be effective in keeping a company network safe from such attacks.

Since bogus apps and phishing pages capitalizing on the Olympics are rampant these days, it is best to only visit trusted sites for tickets and live streaming videos. Users are also recommended to keep systems and devices updated with the latest software, and to watch out for spam emails promising giveaways and prizes as these often lead to phishing pages.

Trend Micro protects users and organizations from various threats leveraging the Olympics via its Trend Micro™ Smart Protection™ Suites and Trend Micro™ Security that can detect Banker and Banload, another banking Trojan, as well as the related spam emails. These solutions can also block related malicious URLs. For small businesses, they can use Trend Micro Worry-Free™ Business Security to secure their systems against Banker and its related spam and URL components.

Indicators of compromise

These are the related SHA1 hashes:

  • fdcdf4d29be548504f4905901a1a662f96808637
  • ad3d6b1d1d7ba9626c141b54478eddaf5391c982

TSPY_BANKER.YWNPR is related to the following malicious URLs:

  • hxxp://200[.]98[.]142[.]12/system/MA-1.0.0.0/Ubuntu10.dll
  • hxxp://200[.]98[.]142[.]12/system/MA-1.0.0.0/IUpdate.dll
  • hxxp://200[.]98[.]142[.]12/system/MA-1.0.0.0/fbclient.dll

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics

Read more: BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics

Incoming search terms

Story added 19. August 2016, content source with full text you can find at link above.