Trojan Targets Multiple Financial Institutions with New Tricks
Security firm Symantec has cautioned users to be wary of email that comes from an unexpected source after finding that an 8 year-old Trojan has been used by spammers to target “multiple financial institutions per variant” from its unsuccessful one-institution-per-variant tactic.
Infostealer.Bancos, a detection name used by Symantec to identify particular malicious software programs that gather confidential financial information from compromised computers, first appeared in the summer of 2003 and targeted mainly Brazilian banks.
Symantec said the Trojan initially targeted one particular financial institution per variant.
However, this method did not always succeed. This forced the malware authors to begin targeting multiple financial institutions per variant. Consequently, the Trojan branched out to include other Latin American banks.
“Recently, we have received alerts from customers in Latin America regarding email messages containing suspicious information about real estate and curriculum vitaes, including corresponding links to ‘access more details,” Symantec said.
The security firm said it cautioned recipients to be wary of email that comes from an unexpected source as the spammer changes the content of the email every few days.
“As usual, the spammer tries to grab the attention of the recipient, who may innocently click on the link,” it added.
However, instead of opening up a Word document, the user will be redirected to a Web site that takes a few seconds to load, which then asks the user to accept a spoofed Java certificate in order to continue with the process.
If the user clicks on “Cancel,” the Java Certificate Warning box will appear a few seconds over again. When the user decides to accept and click on “Run,” nothing will happen.
“What the user is not able to see is that the Java applet will create an additional malicious Java applet that, once run, will completely compromise the computer,” Symantec noted.
The strategies of this Infostealer.Bancos variant installing a downloader, modifying different registry keys, establishing connections to two different IP addresses, and running a keylogger and recording the data on an .html .txt file under a specific folder.
Symantec said the Trojan is responsible for, like other variants, stealing confidential financial information, collecting email addresses, and deleting predetermined files from compromised machines.
“We caution users not to open or click on the links or attachments in emails such as the sample discussed in this blog,” the security firm warned.
“Symantec recommends having anti-spam and antivirus solutions installed and ensuring they are up to date to prevent the compromise of personal machines or networks.”