Banking Trojans as a Service—Theft Made Easy in Brazil

As a known banking Trojan center, it’s not surprising when Brazil’s cybercriminals launch what could be considered “banking Trojans as a service.” In this particular case, a skilled cybercriminal started offering a fully functional banking Trojan and its associated infrastructure for rent, to be used by less-skilled crooks.

This particular threat caught our eye because of its ad, which included demonstration videos on YouTube. Its creator, “Ric”, offers the services of this particular banking Trojan for rent, which costs approximately US$600 for a 10-day period. The service includes a comprehensive, highly capable, and well-designed console, as well as the capability to bypass additional authentication steps used by banks in Brazil.

Advertising

Brazilian cybercriminals are known for advertising services online, and Ric is no different. He uses a YouTube account to show off his products, as seen below.

Figure 1. Youtube profile (Click to enlarge)

The channel description translates to “banking Trojan for rental or source code sale, more than 9 banks supported, version 2016.”

The three uploaded videos show different aspects of the banking Trojan; together, these have almost 1,000 views. Each video description contains a link to a page with payment methods. Ric also published his Skype username so that interested customers could negotiate with him. We believe Ric works by himself and is not part of a larger syndicate.

Ric also provides an informative changelog of the Trojan so that customers know about any changes/improvements on the malware. (We detect this particular Trojan as BKDR_MANGIT.SM.)

Figure 2. Changelog of malware

A table with all of the “supported” banks is also provided:

Figure 3. List of target banks and other websites

The largest banks in Brazil are included in the list, as well as online payment sites like PayPal and Mercado Livre, a local auctions site. Other sites such as those of ISPs and webmail providers are also in the list.

The entire package is sold for 2,000 Brazilian reals (just under US$600), valid for a 10-day period. This is relatively expensive for the Brazilian underground. The package includes the following:

A control panel to manage/operate affected machines
The actual banking Trojan
A loader/dropper/infector
An auto-update program for affected machines
All the infrastructure required to successfully carry out attacks

For users who want full control over their attacks and can provide their own infrastructure, the source code is available for 30,000 reals, approximately US$8,800.

How the attack works

If a would-be cybercriminal does purchase this “service,” he receives a link to the management portal, with credentials valid during the purchased rental period. He needs to set a dynamic DNS service to point his victims to the provided infrastructure. He is also responsible for getting users to visit this malicious URL. Phishing is still the preferred method.

Brazilian banks today protect many accounts with some form of two-factor authentication. A code obtained via either SMS messages or an authenticator app are the most popular ways of implementing two-factor authentication. To get around this protection, Ric doesn’t attack the authentication protocol itself; but instead bypasses it using remote access as follows:

Once the Trojan is installed on the victim’s machine, the attacker has full control over it.
When the victim accesses the bank’s website, the attacker receives an alert (this alert can even be sent via SMS).
The attacker then starts to watch the victim’s screen and waits for him to log in to his bank account.
After that, he locks the victim’s screen. The message shown is designed to make him think the bank website is asking him to wait.
The attacker takes control of the victim’s machine and starts a money transfer or bill payment.
When the bank website asks the operator for the token, the operator unlocks the victim’s screen and makes a fake token request window appear, making him think he needs to enter the token to continue.
With possession of the token, the attacker can then complete the malicious transaction.

There may be some differences to account for different banks, but the gist of the attack doesn’t change. Current Brazilian banking Trojans have become less of data stealers and more of remote management tools that are intended for malicious use.

The following is a screenshot of the control panel:

Figure 4. Control panel for malware

In the screenshot, Ric is controlling a victim’s machine and can ask the victim to enter information like their security code, token, birthday, mobile phone number, all using fake bank pop-ups. The application is full-featured and behaves much like a professionally-created “tool” would.

This ability to carry out transactions from the victim’s machine remotely makes detecting fraud more difficult. Without an in-depth examination of the user’s system, it will appear that any transactions were carried out from the user’s PC (and therefore, by the actual client). Fraud detection methods will have to rely on other techniques.

Who is Ric?

We don’t actually know a lot about Ric, the person who created this threat. What we do know is that his “work” is of remarkably high quality. Everything is coded from scratch and sometimes packers are used to protect his files. Some samples have also been signed with self-assigned certificates to try to bypass security software.

Ric has at least other three nicknames and is probably located in the northern region of Brazil. This part of the country is a known hotbed for cybercriminal activity. Last year, we talked about another young cybercriminal based in northern Brazil who went by the handle “Lordfenix.”

Members of cybercrime gangs have been arrested in the region in the past as well.

Indicators of compromise

The following file hashes are related to this attack: