Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers.

    Based on Smart Protection Network feedback, 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.

    BANKER_malware_percountry

    Figure 1. Top affected countries

    Infection Chain

    The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file.

    The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others.

    The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif.

    Malicious Component File Leads to Serious Security Compromise

    Based on code analysis, %Temp%\update.gif  is used to enable multiple concurrent remote desktop sessions in the affected system. But what does this mean to users?

    For security reasons, remote desktop sessions are limited to just one session at a time. But %Temp%\update.gif creates its own user account (ADM123), which is set as a system adminstrator. Once the system has been set-up for multiple sessions, it notifies its C&C server of the compromise. The remote malicious user then connects to the affected system using the ADM123 account. The remote attacker has now complete control over the system. The attacker has now the capability to perform more damaging commands onto the infected machine. Trend Micro protects users from this threat by detecting and deleting the related malware if found in the system.

    Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game.

    This is the latest development in the rather interesting development in the Brazilian threat landscape, which was lately troubled with a malicious “homemade” browser and other banking Trojans that give Bancos variants a run for their money.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Marcelo

      Please tell us the website that is compromised.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice