BANLOAD Limits Targets via Security Plugin
The presence of a security product is normally seen as a deterrent or challenge for cybercriminals. However, that is not the case with this banking Trojan, specifically, a BANLOAD (also known as BANKER or BANBRA) variant. This malware actually limits its range of victims to online banking clients of Banco do Brasil. It does so by checking for the presence of a specific security product before it executes its malicious routines.
Infection Through Security
BANLOAD malware often uses several techniques that allows them to avoid detection and spread within Latin America, specifically Brazil:
- Deletion of anti-fraud software like the G-buster Plugin (GbPlugin) and anti-virus products
- Limiting targets to systems with Portuguese (the official language of Brazil) as the default system language
- Disguising itself as anti-fraud software, specifically GbPlugin
Most Brazilian banks encourage their online banking customers to install the G-buster Plugin onto their computers. G-buster Plugin prevents malicious code from running during a banking session.
Typically, banking malware will attempt to disable or delete this plugin. However, this new BANLOAD malware, detected as TROJ_BANLOAD.GB, actually checks for this plugin before performing any routines. It goes so far as to check that the installed version of GbPlugin is meant to protect Banco do Brasil customers.
This variant uses the plugin as an indicator that the targeted system is being used for online banking. If a system does not have the plugin installed, it will simply delete itself, leaving no trace of infection. In this particular case, GbPlugin does not stop the malware from downloading and executing malicious files; the downloaded malware is detected as TSPY_BANKER.GB. This attempts to get information from certain banks and financial institutions.
The Brazilian and Latin American Connection
Online banking Trojans like BANLOAD and BANCOS have been hitting Latin American users for more than a decade. One major reason behind the presence of banking Trojans in the region is that online banking is quite popular in the region. Physical constraints—like a shortage of brick-and-mortar branches—have contributed to the adoption of online banking.
Brazil has been in the forefront of online banking in the region. While the country may enjoy advanced online banking systems, that doesn’t necessarily mean it is technologically prepared for it. A recent report shows that the country suffers heavily from DOWNAD, a malware associated with unpatched systems and pirated software. This implies users who may not be as vigilant with their computer’s security as they should be—perfect victims for cybercriminals.
We’ve noticed several improvements in banking Trojans, such as testing for the PC’s system language, and phishing sites using IP address and browser user-agent tests. These are used to check if the affected computer is in Brazil.
If these tests determine that that the user may not be from Brazil, the phishing site may instead redirect users to a legitimate banking site. Banking Trojans also use proxy auto-config (PAC) proxy scripts and phishing pages to filter out their intended victims.
Trend Micro protects users by detecting all threats related to this attack.
With additional insights from Fernando Merces