Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    We recently received reports of a BANKER malware that is being distributed in Spain. This malware, detected by Trend Micro as TROJ_BANLOD.QSPN, reportedly arrives via mass-mailed spammed messages that supposedly come from the National Police of Spain. The email message contains a link that leads to the download of TROJ_BANLOD.QSPN—a downloader that downloads TSPY_BANCOS.QSPN.

    One thing we noticed about this particular attack is the fact that it uses compromised sites for its malicious operations. The download sites and phone-home URLs are all legitimate and contain specific directories and contents used for the attack. TSPY_BANCOS.QSPN furthermore obtains the phone-home URLs from the site http://{BLOCKED}s:81/images/cancel.txt.

    This makes the phone-home URLs dynamic, as the content of this site can be updated anytime. It is also worth mentioning that the phone-home URLs to which the site points to have also been compromised and contain a specific malicious PHP script that is responsible for transmitting the phone-home report to the actual malicious server. These routines effectively conceal the identity of the perpetrators behind the attack.

    As for the payload, TSPY_BANCOS.QSPN monitors Internet Explorer and Mozilla Firefox address bars for strings that are related to the following financial firms based in Spain:

    • Banco Popular
    • Bankinter
    • Cajasol
    • Caixa
    • Wester Union

    If found, TSPY_BANCOS.QSPN recreates a phishing page. If an affected user, for instance, tries to visit any of the official sites of the above-mentioned institutions, the malware hides his original browser and instead displays a fake page whose content depends on which organization the strings found are related to. It then displays the following page if strings related to Cajasol are found:

    Click for larger view

    It also attempts to get the user’s card code or signature as shown in the following:

    Click for larger view

    Even though the page is professional looking, it is actually just a whole image and one cannot really click anything on it aside from the login or input section. Once a user provides all the necessary information, the malware sends this to an email address that has been hardcoded to its body. This then eventually ends up in cybercriminals’ hands.

    Trend Micro already blocks access to the related malicious URLs via the Trend Micro™ Smart Protection Network™.

    While this attack may appear to be concentrated in Spain, users should be equally vigilant and familiar with such kinds of fraud. Similar attacks and other threats may already be on their way to users’ mailboxes, Web searches, and popular social networking sites. No one knows who will be the next victim. Always remember that user awareness is key and may even be better than any technical solution available out there.

    The National Police of Spain also posted a bulletin warning users of this ruse.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice