Threat Research

‘Bancos’ - A Brazilian Crook

It’s fairly well accepted that most of the banking

Trojans originate in Brazil, while most of the big SPAM botnets originate in

Russia. One such banking Trojan is ‘Bancos’, a kind of malware that tries

to steal every ‘bit’

of financial data from a victim’s PC.

Normally it happens like this:

Once executed on the victim's system, ‘Bancos’ contacts its ‘Command and Control Server’ and tries to download a .txt file. This .txt file has the exact format as the Windows default hosts file (%system32/drivers/etc/hosts) as shown below:

3

This .txt file

has entries for hostnames of various financial and government domains

like American Express.  Once the default Windows hosts file is replaced

by this downloaded copy, all user attempts to log on to one of these

legitimate domains would be redirected to a malicious server

hosting phishing copies of these web sites. All credentials and

sensitive data exchanged on these fake web sites would be stored by the

malicious server, and could be used by the bad guys to perform various

types of banking fraud.

Here are some of the screenshots of the phishing web sites (on the right) in comparison to the legitimate web sites.

2

                                                American Express

1

                                                               E-Gold

The worst part of this story is that the malicious ‘hosts’ file is fetched from a remote server. What this means is that the bad guys have complete freedom to develop new phishing web sites at any time by targeting new domains, letting ‘Bancos’ update the victim’s hosts file, and hijacking the user’s future legitimate browser sessions. 

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM