The Web site of the Ministry of Finance in Brazil, Ministerio da Fazenda, has become the new target of the bad guys. Trend Micro Content Security Team found a phishing email that purports itself as a legitimate email coming from the said financial institution.
It asks recipients to confirm that their income tax return that has not been delivered. The confirmation method is by clicking the hyperlink message, which leads to the URL hxxp://www.c3.hu/~vadkert//tagok/formulario.php. However, instead of displaying an ordinary phishing Web site, it downloads a malicious executable file.
The said file is already detected by Trend Micro as POSSIBLE_BANLD- 1, while the malicious URL has already been added on the database and will be blocked by WCS.
– Update: March 27, 2008 –
TrendLabs engineers further analyzed the malicious site and found the various malware being hosted on the said site, such as the following:
- w.exe – detected as TSPY_AGENT.ALKZ
(Note: The original file downloaded from the link is already detected as PE_PARITE.A)
- formulario.exe – detected as TROJ_BANLOAD.CRZ
- onnas.exe – detected as TSPY_BANCOS.AUE
The file usersonline.txt, on the other hand, is a non-malicious file that contains IP addresses and ports, which based on analysis, are currently not available. Jose Lopez Tello, Trend Micro Virus Coordinator in Latin America, notes that it is not certain if the IP addresses contained in the mentioned text file are from online users or just a fake list, but what is interesting is that all of the IPs are located in Brazil.