Home / malwarePDF  

TrojanSpy:Win32/Bancos


First posted on 22 February 2016.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Bancos.

Explanation :

TrojanSpy:Win32/Bancos is a family of password stealing trojans that target specific online banking Web sites commonly located in Brazil. Captured credentials may be sent to the attacker via e-mail, ftp or sent to a remote server through some other protocol depending on the variant.

Installation

This trojan may be installed by a trojan dropper or other malicious software and is frequently installed when visiting Web sites modified by an attacker, even a site the user may already trust. Frequently variants of this trojan will impersonate the Web sites of the targeted online banking systems in order to trick the user into entering their logon credentials or downloading other malware. The Bancos family frequently modifies the registry within the following subkeys to execute the trojan at each Windows start: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce In the wild, this trojan has been observed to have the following file names:

  • Windows32.exe
  • Win.exe
  • Arquivos.exe
  • sxe[0-9].tmp
  • sound.exe
  • service.exe
  • winupdbc.exe


Payload

Steals Sensitive Data
Win32/Bancos may monitor Web pages visited by the affected user and capture logon credentials for specific online financial sites such as the following:
  • bradesco.com.br
  • bb.com.br
  • bancobrasil.com.br
  • nossacaixa.com.br
  • cbp.3dsolution.com.br
The information sent may contain the following types of sensitive information:
  • Bank name
  • IP Address
  • Username and password used to login to the site
  • MAC Address
Terminates Security Software

Win32/Bancos may terminate processes of several security products such as the following:
  • nod32krn.exe
  • nod32kui.exe
  • nod32kui.exe
  • Kav.exe
  • McShield.exe
  • avgamsvr.exe
  • ccapp.exe
Lowers Windows Security

Win32/Bancos may lower Windows security by adding extensions of "high-risk" file types as "low-risk" by modifying registry data. Modifies value: "LowRiskFileTypes"
With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;
.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

Analysis by Josh Phillips

Last update 22 February 2016

 

TOP

Malware :