Tweet

Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files (see Figure 1).

The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components—one steals banking-related information while the other steals email account information (see Figure 2).

Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:

• {BLOCKED}unicaobr.com/phps/procopspro.php
• {BLOCKED}unicaobr.com/working/lisinho.php

Looking for more details on webcomunicaobr.com revealed the following details:

IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1.brasilrevenda.com
ns2.brasilrevenda.com

Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far (see Figure 3), a list of PHP servers where stolen information is sent (see Figure 4), and a list of files that contained encrypted information downloaded by infected hosts (see Figure 5).

More spam campaigns from the said Web server may be seen in the days to come but Trend Micro product users need not worry as they are protected by the Smart Protection Network™, which blocks spammed messages and user access to malicious sites and domains and prevents the download of malicious files detected by Trend Micro as TSPY_BANKER.OCN and TSPY_BANKER.MTX.