Home / malwarePDF  

Trojan-Spy:W32/Banbra.RM


First posted on 24 December 2008.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Spy:W32/Banbra.RM.

Explanation :

This type of trojan secretly installs spy programs and/or keylogger programs.

right]This trojan steals any information related to Brazilian Internet banking websites. The trojan uses a legitimate malware removal tool to maliciously remove some forms of security software that some Brazilian Internet banking websites require. The removal of the security software paves the way to allow the trojan to steal a user's credentials; the stolen credentials can then be forwarded to a remote server for further malicious use.

The trojan targets popular Brazilian Internet banking websites, such as:

  • https://www.bancobrasil.com.br/
  • https://www.banrisul.com.br/
  • https://www.bradesco.com.br/
  • https://www.caixa.gov.br/
  • https://www.citibank.com.br/
  • https://www.credicardcitinovo.com.br/
  • https://internetbanking.caixa.gov.br
  • https://www.unibanco.com.br
  • http://www.santanderbanespa.com.br/

The trojan will also attempt to download and execute files from a remote server.

Execution

Upon execution, the trojan first drops a copy of itself as

  • %windir%msnmsgsr.exe.

It then downloads and executes the legitimate removal tool, Avenger by Swandog. It also creates a number of files to facilitate the smooth execution of its activity. For example, %windir%system32driversworkray.sys is a driver file used by Avenger to operate normally.





Avenger will be executed in quiet mode, using the tool's parameter, avenger.exe /nogui C:systemX86.txt. The legitimate files that will be removed by Avenger are specified on the text file, C:systemX86.txt.

Of particular interest is GbPlugin, a program used by Brazilian banks to protect customers when they perform Internet banking transactions. Though normally difficult to remove, using the Avenger program allows the trojan to remove the GbPlugin at the next system startup or reboot.

The following is a typical script used by Avenger to remove files:

Files to delete:

  • %systemdrive%Arquivos de programasGbPluginscpsssh2.dll
  • %systemdrive%Arquivos de programasGbPlugingbiehuni.dll
  • %systemdrive%Arquivos de programasGbPlugingbpdist.dll
  • %systemdrive%Arquivos de programasGbPluginisg.gpc
  • %systemdrive%Arquivos de programasGbPluginuni.gpc
  • %systemdrive%Arquivos de programasGbPlugingbiehisg.dll
  • %systemdrive%Arquivos de programasGbPluginGBIEHCEF.DLL
  • %systemdrive%Arquivos de programasGbPluginscpVista.exe
  • %systemdrive%Arquivos de programasGbPlugingbiehabn.dll
  • %systemdrive%Arquivos de programasGbPluginGBIEHABN.DLL
  • %systemdrive%Arquivos de programasGbPluginLOGOF.DLL
  • %systemdrive%Arquivos de programasGbPluginabn.gpc
  • %systemdrive%Arquivos de programasGbPluginAtmCap.ocx
  • %systemdrive%Arquivos de programasGbPlugingbpsv.exe
  • %systemdrive%Arquivos de programasGbPluginGbpSv.exe
  • %systemdrive%Arquivos de programasGbPluginGbpSrv.exe
  • %systemdrive%Arquivos de programasGbPlugingbpsrv.exe
  • %systemdrive%Arquivos de programasGbPlugingbieh.dll
  • %systemdrive%Arquivos de programasGbPlugingbieh.dll
  • %systemdrive%Arquivos de programasGbPlugingbieh.gmd
  • %systemdrive%Arquivos de programasGbPluginb.gpc
  • %systemdrive%Arquivos de ProgramasScpadscpMIB.dll
  • %systemdrive%program filesScpadscpsssh2.dll
  • %systemdrive%program filesScpadsshib.dll
  • %systemdrive%program filesScpadscpIBCfg.bin
  • %systemdrive%program filesScpadscpLIB.dll
  • %systemdrive%program filesscpsssh2.dll
  • %systemdrive%program filesgbiehuni.dll
  • %systemdrive%program filesgbpdist.dll
  • %systemdrive%program filesisg.gpc
  • %systemdrive%program filesuni.gpc
  • %systemdrive%program filesgbiehisg.dll
  • %systemdrive%program filesGBIEHCEF.DLL
  • %systemdrive%program filesgbiehabn.dll
  • %systemdrive%program filesGBIEHABN.DLL
  • %systemdrive%program filesLOGOF.DLL
  • %systemdrive%program filesabn.gpc
  • %systemdrive%program filesAtmCap.ocx
  • %systemdrive%program filesgbpsv.exe
  • %systemdrive%program filesGbpSv.exe
  • %systemdrive%program filesGbpSrv.exe
  • %systemdrive%program filesgbpsrv.exe
  • %systemdrive%program filesgbieh.dll
  • %systemdrive%program filesgbieh.gmd
  • %systemdrive%program filesb.gpc
  • %systemdrive%program filesGbPluginScpadscpsssh2.dll
  • %systemdrive%program filesGbPluginScpadsshib.dll
  • %systemdrive%program filesGbPluginScpadscpIBCfg.bin
  • %systemdrive%program filesGbPluginScpadscpLIB.dll
  • %systemdrive%program filesGbPluginscpsssh2.dll
  • %systemdrive%program filesGbPlugingbiehuni.dll
  • %systemdrive%program filesGbPlugingbpdist.dll
  • %systemdrive%program filesGbPluginisg.gpc
  • %systemdrive%program filesGbPluginuni.gpc
  • %systemdrive%program filesGbPlugingbiehisg.dll
  • %systemdrive%program filesGbPluginGBIEHCEF.DLL
  • %systemdrive%program filesGbPlugingbiehabn.dll
  • %systemdrive%program filesGbPluginGBIEHABN.DLL
  • %systemdrive%program filesGbPluginLOGOF.DLL
  • %systemdrive%program filesGbPluginabn.gpc
  • %systemdrive%program filesGbPluginAtmCap.ocx
  • %systemdrive%program filesGbPlugingbpsv.exe
  • %systemdrive%program filesGbPluginGbpSv.exe
  • %systemdrive%program filesGbPluginGbpSrv.exe
  • %systemdrive%program filesGbPlugingbpsrv.exe
  • %systemdrive%program filesGbPlugingbieh.dll
  • %systemdrive%program filesGbPlugingbieh.gmd
  • %systemdrive%program filesGbPluginb.gpc
  • %windir%scpVista.exe
  • %windir%gbpsv.exe
  • %windir%gbpsrv.exe
  • %systemdrive%Arquivos de programasGbPluginGbpSrv.exe
  • %systemdrive%Arquivos de programasGbPluginscpVista.exe
  • %systemdrive%avenger.txt

Folders to delete:

  • %systemdrive%program filesGbPlugin
  • %systemdrive%Arquivos de programasGbPlugin %systemdrive%program filesScpad %systemdrive%Arquivos de programasScpad

The script is stored on %windir%system32awou.txt.

After successfully deleting the targeted files, the text file C:avenger.txt is created, containing the log of the removal process.

Finally, the cleanup script, C:cleanup.bat, will delete the backup files created by Avenger.

Data Stealing

Once the security measures are removed, the trojan can proceed to its data stealing routine. When the user browses a targeted online banking website, the trojan is able to inject malicious HTML into the webpage. The injection allows the trojan to capture keystrokes the user enters into the log-in fields of the website, essentially stealing the user's credentials.

The stolen credentials are then sent to a number of e-mail addresses registered under VFEmail and Inbox.com:

  • h3llm45t[...]@vfemail.net
  • h3llm45t[...]@vfemail.net
  • jaodas[...]@inbox.com

Last update 24 December 2008

 

TOP