Home / malware

PDF

TrojanSpy:Win32/BBSwift.B

First posted on 02 June 2016.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/BBSwift.B.

Explanation :

Installation

This usually arrives as nroff_b.exe masking as a file that is a part of the SWIFT Alliance software suite that will be used for additional monitoring or information stealing of the malware.



It will also make use of the two configuration files that is seen being used by TrojanSpy:Win32/BBSwift.A:

• %LOCALAPPDATA%\allians\gpca.dat
• %LOCALAPPDATA%\allians\recas.dat

Payload

It can monitor SWIFT messages in these directories:

• %LOCALAPPDATA% \Allians\mcp\in
• %LOCALAPPDATA% \Allians\mcp\out
• %LOCALAPPDATA%\Allians\mcp\unk
• %LOCALAPPDATA% \Allians\mcs\nfzp
• %LOCALAPPDATA% \Allians\mcs\nfzf
• %LOCALAPPDATA%\Allians\mcs\fofp
• %LOCALAPPDATA% \Allians\mcs\foff

It looks for these SWIFT sub-strings and also logs it into %LOCALAPPDATA%\allians\recas.dat as part of its information stealing scheme and to possibly edit database transactions so it would appear that there are no anomalies in bank statements:

• Swift Input
• Swift Output
• 28C: Statement Number
• outgo
• incom

Analysis by: Marianne Mallen

Last update 02 June 2016

 

TOP