Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Cybercriminals in Brazil appear to have come up with a new tactic to lure users into giving up their login information. A few days ago, we found a post on a Brazilian forum offering a browser that could access the website of the Banco do Brasil without using the needed security plugin.

    Figure 1. Homemade browser ad

    Users that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.)

    The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The “plugin” actually steals the user’s bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):

    Figure 2. Strings used to spoof the User-Agent header

    It’s also worth noting that this homemade browser doesn’t even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank’s site.

    Figure 3. The homemade browser accessing the mobile Banco de Brasil site

    This is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians.

    One more thing to note. The author of this “browser” also created a version of BANCOS that ““outsourced” its distribution to lower level cybercriminals.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • org12

      How does he steals the information typed in the “homemade browser”?

      • TrendLabs

        Hi there org12,

        The information is stolen through the malicious plugin WORM_LUDER.USR mentioned above as Plugin_Navegador_2.1.3.exe. The said malicious plugin monitors web activities and logs keystrokes.

        • org12



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice