Phishing-Malware Bait: Brazilian Income Tax Return

March 26th, 2008 by Aivee Cortez (Anti-spam Engineer)

The Web site of the Ministry of Finance in Brazil, Ministerio da Fazenda, has become the new target of the bad guys. Trend Micro Content Security Team found a phishing email that purports itself as a legitimate email coming from the said financial institution.

It asks recipients to confirm that their income tax return that has not been delivered. The confirmation method is by clicking the hyperlink message, which leads to the URL hxxp://www.c3.hu/~vadkert//tagok/formulario.php. However, instead of displaying an ordinary phishing Web site, it downloads a malicious executable file.

The said file is already detected by Trend Micro as POSSIBLE_BANLD- 1, while the malicious URL has already been added on the database and will be blocked by WCS.

- Update: March 27, 2008 -

TrendLabs engineers further analyzed the malicious site and found the various malware being hosted on the said site, such as the following:

  • w.exe - detected as TSPY_AGENT.ALKZ
    (Note: The original file downloaded from the link is already detected as PE_PARITE.A)
  • formulario.exe - detected as TROJ_BANLOAD.CRZ
  • onnas.exe - detected as TSPY_BANCOS.AUE

The file usersonline.txt, on the other hand, is a non-malicious file that contains IP addresses and ports, which based on analysis, are currently not available. Jose Lopez Tello, Trend Micro Virus Coordinator in Latin America, notes that it is not certain if the IP addresses contained in the mentioned text file are from online users or just a fake list, but what is interesting is that all of the IPs are located in Brazil.

Print Posts
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.5 out of 5)
Loading ... Loading ...

Subscribe in a reader

Most Recent Posts

Most Popular Posts

Links

Blogroll


Scan for free!