Cybercriminals in Brazil appear to have come up with a new tactic to lure users into giving up their login information. A few days ago, we found a post on a Brazilian forum offering a browser that could access the website of the Banco do Brasil without using the needed security plugin.
Figure 1. Homemade browser ad
Users that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.)
The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The “plugin” actually steals the user’s bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):
Figure 2. Strings used to spoof the User-Agent header
It’s also worth noting that this homemade browser doesn’t even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank’s site.
Figure 3. The homemade browser accessing the mobile Banco de Brasil site
This is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians.
One more thing to note. The author of this “browser” also created a version of BANCOS that ““outsourced” its distribution to lower level cybercriminals.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.