Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    We recently received a report of a new phishing attack that originated from Mexico. It takes advantage of the controversial news about an allegedly missing four-year-old girl, Paulette Gebara Farah, who was later found dead in her own bedroom.  Upon investigation, we found that this attack came from a Mexican botnet and that it was trying to steal banking/financial-related information from users.

    Online banking is widely used in Latin America, and this attack is another example of cybercriminals targeting the online banking community in an effort to extort money and sensitive financial information.

    Users who are following the said news may fall prey to this attack by visiting the page http://www.knijo.{BLOCKED}0.net/fotografias-al-desnudo-de-la-mama-de-paulette.htm, which contains an article about Paulette and claims to show nude photos of her mother. When a user accesses this page, a fake dialog box pops up and requests the user to download and install Adobe Flash Player.

    Click for larger view Click for larger view

    Clicking Run leads to the download of the file video-de-la-mama-de-paulette.exe, which is actually the client program of a bot detected by Trend Micro as TSPY_MEXBANK.A.

    During our investigation, we were able to access the botnet’s command-and-control (C&C) interface and to learn about its management functions. We were able to enter the management interface and to see for ourselves the complete capabilities of this new botnet.

    Click for larger view Click for larger view

    The bot menu shows the total number of zombies and a list of the compromised computers. The list of zombies displays the ID number, name of the client, and the action executed on a bot. It has options to disable or enable a bot, to start netcat (a powerful networking utility that can be used as a backdoor) on a bot, and to remove the bot from the botnet.

    Click for larger view

    This newly discovered botnet has a fairly comprehensive feature set that can be compared with other older, more established botnet families. Each feature is placed in its own “module,” which the botnet herder can configure one by one.

    It should be no surprise that a pharming module is part and parcel of its available features. As can be seen in the screenshot of the phishing module, this particular botnet targets Mexican users, particularly PayPal’s local site and the largest bank in the country, Bancomer.

    Click for larger view

    Aside from this, the Tequila botnet can also download files from various malicious URLs, either via HTTP or FTP. Both ZBOT info stealers as well as FAKEAV malware have been spotted being dropped by this new family.

    However, consumers are not the only ones the cybercriminals behind this botnet are ripping off, the AdSense module allows a site to be repeatedly loaded along with that site’s advertisements. In effect, cybercriminals use this to raise the traffic to their own sites, increasing the payments made by advertising networks such as Google’s AdSense.

    Click for larger view

    In addition to being found on malicious websites, the Tequila botnet can also arrive via USB devices as well as via MSN Messenger. It sends messages that either contain the file itself (as an attachment of sorts) or links that go to copies of the malware.

    Click for larger view

    The location of the C&C server appears to be no longer available, in effect taking this particular botnet down. However, if the developer starts a new campaign and distributes new files, the number of bots may increase again, thus encouraging the developer to create new modules for the botnet in the future.

    Hat tip to Juan Castro of Trend Micro LAR for initially bringing this botnet to light.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice