During a recent analysis of a particular malware sample, we came across the author’s online nickname. After some digging, we found a link to the location where the author advertised his malware and allowed others to freely download its source code.
The blurbs in the said site promote some of the malware’s features such as the fact that it works in Windows XP, Vista, and 7 and that it can capture screenshots. It also lists the banks and browsers from which the malware can steal information.
Eight days after we saw the page, the same person came out with a new version of his malware, which he called Version 2.0. To this, he added a new target (a credit score firm) and the ability to terminate two security programs.
A week after Version 2.0 came out, the cybercriminal introduced his Ultimate Version. This new version corrected several bugs and can terminate one more security product.
Here is a final comparison of the affected institutions and features of all three variants:
Checking the source codes all three versions offered, it is possible to identify that part of them cannot be directly accessed. The original author compiled part of the code in Delphi Compiled Unit (DCU) files—mixed files with code (in low-level language) and data declared in a separate .PAS file.
The author used the low-level code to protect or hide his creation’s main routines. The .PAS files in the package were only used to include the email address that the author used to receive data from the victims.
What does the original author get out of this if he is distributing the software for free? When the cybercriminal advertised the first version, he explained that any data stolen by the malware that was meant for Banco Itau would not just be sent to the downloaders, it would also go to the original author.
The packages also include an embedded .RES file, which embeds a separate malicious file that differs with each version. The first version uses TROJ_BANCOS.SER, Version 2.0 uses RTKT_BANKER.RAG, and the Ultimate Version uses TROJ_KILLAV.PB. All three try to remove the security plug-in used by some banks in Brazil to protect their users when accessing their sites online. The last two malware also try to erase the auto-update programs several security software use.
It’s clear that the culprit behind this particular malicious package has chosen a new approach to malware distribution. He has “outsourced” his distribution to other lower-level cybercriminals and let them generate both the actual binaries distributed to victims as well as the actual “campaigns” to propagate these. After all, he still profited from the malware by getting a portion of the stolen information.
What does this mean for users? Because would-be cybercriminals can now acquire the tools of the trade at no cost, users are likely to see more attacks. Even if these may not be as sophisticated as those from more experienced cybercriminals, the increased volume of threats will still cause more problems for users.
Hat tip to Fioravante Souza for sample acquisition.