Despite the 2016 Olympics coming to a close, cybercriminals remain relentless in using the sporting event as a social engineering hook to distribute a banking Trojan. Earlier this month, we spotted a phishing campaign that led victims to unknowingly download the Banker malware. Although Banker has been in the wild for years, this time we see it using a Dynamic Loading Library (DLL) with malicious exported functions. One of the export calls used is to check if the victimized system is located in Brazil. If the geolocation points to Brazil, then another malicious file is downloaded. This particular new routine points to the possibility of the cybercriminals’ intention of riding on the popularity of the Olympics to lure users. Apart from Banker, there are reports indicating that other banking Trojans, are doing the same thing. For instance, Sphinx ZeuS has enhanced its capabilities because of the Olympics.
Attacks banking on the popularity of sporting events are common. Before, the 2014 World Cup and the 2012 Olympics were used as baits to deliver a plethora of security threats such as fake apps, phishing sites, online scams, and banking malware among others.
Riding the Olympics bandwagon
Banker, one of the notorious banking Trojans, has been spotted targeting users who want to watch the 2016 Olympics live. Users or employees are made to believe that there are free tickets waiting for them if they click the link in the spam email with subject, Parabens Voce Acabou De Ganhar 1 Par De Ingressos Para Olimpiadas 2016 (translation: Congratulations You Just Won 2 tickets for the 2016 Olympics). But instead of free tickets, the victims are redirected to hxxp://50[.]116[.]86[.]50/~megad351/clientes/gremiacao/ and hxxp://www.truongtinphat.com/cn/plugins/content/Imprimir_Ingresso_00000736=
63534366355ASDR2016BR.rar respectively. That particular site leads to the downloader, Banload (detected by Trend Micro as JS_BANLOAD.YJF), which in turn retrieves a variant of the Banker Trojan (detected as TSPY_BANKER.YWNPR).
Our analysis revealed that the configuration file of the malware monitors 4 major and 13 local banks in Brazil, as well as 3 international banks.
Underground market findings
In a country like Brazil where cybercrime training services are offered publicly via the Surface Web, aspiring cybercriminals can easily get tools like banking Trojans and use such tools to leverage the popularity of the Olympics. While banking Trojans have always been a staple product in the Brazilian underground market, it was only in June that we spotted someone peddling banking Trojans as a service. A cybercriminal dubbed as ‘Ric’ advertised a banking Trojan, and its infrastructure, to aspiring cybercriminals who want to make a name for themselves. Just as some Brazilian cybercriminals remain unfazed by law enforcement, ‘Ric’ also posted his ads via YouTube.
Other standard products in the Brazilian cybercriminal underground are banking and carding training services, priced at R$1.499,00 (US$470.16, as of Aug. 16, 2016). Advertisements offering such services typically emerge immediately after being taken down by the Computer Security Incident Response Team (CSIRT). We also noticed that the price of the training on carding had increased, possibly because many bad guys have become interested and so a higher demand for it was created.
Figure 1. Banker training ad
Figure 2. Topics cover under the banker training
The ad above offers training to cybercriminal wannabes who want to perform banking Trojan-related attacks. The same ad offers a wide array of tutorials that will equip any aspiring cybercriminal with the knowledge on banking Trojan development as well as tips on general carding and banking operations.
Some of the topics included in the training will provide information on how to set up a C&C server, configure malware kits, and develop keylogger and phishing pages.
Figure 3. Carding training ad
A typical carding training covers topics on how to clone credit cards, how to gather affected users’ banking credentials, and how to use malware and botnet among others.
Best practices and recommendations
Sports enthusiasts and fans who wish to watch and enjoy similar events, like the Olympic Games, must exercise caution when faced with deals that are too good to be true. Being cautious of such social engineering lures can help lower the risk of falling into a trap that will either take their credentials and personal information or infect their systems and devices with malware.
For employees of small businesses and enterprises, Olympics-related threats like Banker could mean introducing risks to the company network. Although employees are often considered the “weakest link in security,” educating employees through a security awareness program that will describe how threats take advantage of sporting events can be effective in keeping a company network safe from such attacks.
Since bogus apps and phishing pages capitalizing on the Olympics are rampant these days, it is best to only visit trusted sites for tickets and live streaming videos. Users are also recommended to keep systems and devices updated with the latest software, and to watch out for spam emails promising giveaways and prizes as these often lead to phishing pages.
Trend Micro protects users and organizations from various threats leveraging the Olympics via its Trend Micro™ Smart Protection™ Suites and Trend Micro™ Security that can detect Banker and Banload, another banking Trojan, as well as the related spam emails. These solutions can also block related malicious URLs. For small businesses, they can use Trend Micro Worry-Free™ Business Security to secure their systems against Banker and its related spam and URL components.
Indicators of compromise
These are the related SHA1 hashes:
TSPY_BANKER.YWNPR is related to the following malicious URLs: