A 20-year-old college student whose underground username is Lordfenix has become one of Brazil’s top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we’re seeing today.
Who is Lordfenix?
Lordfenix is a 20-year old Computer Science student from Tocantins, Brazil. We were able to trace his activity back to April 2013. At the time, he was operating under a different handle, Filho de Hakcer (Portuguese for “hacker’s son,” but misspelled). He was posting in forums, asking for programming assistance for a Trojan he was supposedly creating.
Figure 1. Forum post of Lordfenix, then Filho de Hakcer
Based on a photo he posted on Facebook dated September 2013, it appears he was successful in his work.
Figure 2. Facebook post boasting of his success with his Trojan
Information theft via fake browsers
Lordfenix has since continued to develop and sell banking Trojans, one of which we detect as TSPY_BANKER.NJH. This Trojan is able to identify when a user types any of its target banks’ URLs. Among these targets are Banco de Brasil, Caixa, and HSBC Brasil.
It is then able to close the current browser window (if it’s running on Google Chrome), display an error message, and then open a new fake Chrome window. This whole routine is almost unnoticeable since the browser windows are switched seamlessly. In case the user’s browser is Internet Explorer or Firefox, the original window stays open, but the error message and the fake browser window still appear.
Figure 3. Fake browser window
Figure 4. Spoofed HSBC Brasil banking site
Figure 5. Spoofed Banco de Brasil banking site
If the user enters his login credentials in the fake window, the malware sends the information back to the attacker via email—the same email address Lordfenix used during his “Filho de Hakcer” days.
For added protection against security products, this malware terminates the process GbpSV.exe. This process is associated with the software G-Buster Browser Defense, a security program many Brazilian banks use to defend against information theft and protect their customers’ privacy during online transactions.
Cybercrime for free
Lordfenix has grown quite confident in his skills. We found him offering free versions of fully-functional banking Trojan source code to underground forum members. He claims these free versions can steal credentials from customers of four different banks. But this generosity has a limit. If other members would like to target more banks, they would have to contact him, and he would sell them TSPY_BANKER.NJH. We checked this banking Trojan and it is, in fact, operational.
Figure 6. Forum post advertising free banking Trojan source code
We also found him advertising banking Trojans through his Skype profile. There, the Trojans are referred to as keylogger (KL) proxy—based on the keylogging capabilities of the malware.
Figure 7. Lordfenix’s Skype profile
Cybercriminal upstart
Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013. With each Trojan costing around R$1,000 (roughly US$320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture.
Aside from the ease of creating malware, a few other factors may have urged Lordfenix to start up his own little enterprise:
- Brazil has a huge online banking user base. In 2013 alone, around 51% percent of all banking transactions within the country were done via the Internet.
- Digital crime is not necessarily a top priority in Brazil. The penalties against offenders are currently very low.
Despite working alone and being only 20 years old, Lordfenix has managed to make his name known among his fellow criminals. His story—the young cybercriminal inflicting serious damage—is near-identical to that of the teens developing mobile ransomware in China. He is also not the first solo operator we have noted this quarter. The likes of Frapstar (Canada) and the cybercriminals behind FighterPOS (Brazil) and HawkEye (Nigeria) are all individual players using basic malware to gain profit.
In cybercrime, it doesn’t matter if the criminal is a veteran or a newbie. The result remains the same: ordinary users become victims.
Update as of July 10, 2015, 11:45 AM PDT (UTC – 7)
Below are the SHA1 hashes related to this threat:
- fc79d98729dd156f8ab66292b0fb31cea5f7ee5f
- cf82708f251e2a8ce63994bea41cff35475de0e8
- c054127cfd6170e091f32d6a7ad1092d4d2edc8d
- 39d93b4fcc36ef52ba18c87ddd294a846c5811be
- c88012dbc818941b1e62dcd53739ad821fd01c24
- d98409510804e895e082840e9591e6a798294fda
- dac73434e6d2894a835ed2fbfa8552f22ec086b6
- f2a77c29ddcbc68bdd3044449657cfedbf7ab5a3
- 58624af9d383b117fe5d56369051c0e5e4dd9d7a
