BANKER Trojan Sports New Technique to Take Advantage of 2016 Olympics

Datetime:2016-08-23 03:23:19          Topic:          Share

Attacks banking on the popularity of sporting events are common. Before, the2014 World Cup and the2012 Olympicswere used as baits to deliver a plethora of security threats such as fake apps, phishing sites, online scams, and banking malware among others.

Riding the Olympics bandwagon

Banker, one of the notorious banking Trojans, has been spotted targeting users who want to watch the 2016 Olympics live. Users or employees are made to believe that there are free tickets waiting for them if they click the link in the spam email with subject, Parabens Voce Acabou De Ganhar 1 Par De Ingressos Para Olimpiadas 2016  (translation: Congratulations You Just Won 2 tickets for the 2016 Olympics). But instead of free tickets, the victims are redirected to hxxp://50[.]116[.]86[.]50/~megad351/clientes/gremiacao/ and hxxp://www.truongtinphat.com/cn/plugins/content/Imprimir_Ingresso_ 00000736=

63534366355ASDR2016BR.rar respectively. That particular  site leads to the downloader, Banload (detected by Trend Micro as JS_BANLOAD.YJF), which in turn retrieves a variant of the Banker Trojan (detected as TSPY_BANKER.YWNPR).

Our analysis revealed that the configuration file of the malware monitors 4 major and 13 local banks in Brazil, as well as 3 international banks.

Underground market findings

In a country like Brazil where cybercrime training services are offered publicly via the Surface Web, aspiring cybercriminals can easily get tools like banking Trojans and use such tools to leverage the popularity of the Olympics. While banking Trojans have always been a staple product in the Brazilian underground market, it was only in June that we spotted someone peddling banking Trojans as a service .  A cybercriminal dubbed as ‘Ric’ advertised a banking Trojan, and its infrastructure, to aspiring cybercriminals who want to make a name for themselves. Just as some  Brazilian cybercriminals remain unfazed by law enforcement, ‘Ric’ also posted his ads via YouTube.

Other standard products in the Brazilian cybercriminal underground are banking and carding training services, priced at R$1.499,00 (US$470.16, as of Aug. 16, 2016). Advertisements offering such services typically emerge immediately after being taken down by the Computer Security Incident Response Team (CSIRT). We also noticed that the price of the training on carding  had increased, possibly because many bad guys have become interested and so a higher demand for it was created.

Figure 1. Banker training ad

Figure 2. Topics cover under the banker training

The ad above offers training to cybercriminal wannabes who want to perform banking Trojan-related attacks. The same ad offers a wide array of tutorials that will equip any aspiring cybercriminal with the knowledge on banking Trojan development as well as tips on general carding and banking operations.

Some of the topics included in the training will provide information on how to set up a C&C server, configure malware kits, and develop keylogger and phishing pages.

Figure 3. Carding training ad

A typical carding training covers topics on how to clone credit cards, how to gather affected users’ banking credentials, and how to use malware and botnet among others.

Best practices and recommendations

Sports enthusiasts and fans who wish to watch and enjoy similar events, like the Olympic Games, must exercise caution when faced with deals that are too good to be true. Being cautious of such social engineering lures can help lower the risk of falling into a trap that will either take their credentials and personal information or infect their systems and devices with malware.

For employees of small businesses and enterprises, Olympics-related threats like Banker could mean introducing risks to the company network. Although employees are often considered the “weakest link in security,” educating employees through a security awareness program that will describe how threats take advantage of sporting events can be effective in keeping a company network safe from such attacks.

Since bogus apps and phishing pages capitalizing on the Olympics are rampant these days, it is best to only visit trusted sites for tickets and live streaming videos. Users are also recommended to keep systems and devices updated with the latest software, and to watch out for spam emails promising giveaways and prizes as these often lead to phishing pages.

Trend Micro protects users and organizations from various threats leveraging the Olympics via its Trend Micro™ Smart Protection™ Suites and  Trend Micro™ Security that can detect Banker and Banload, another banking Trojan, as well as the related spam emails. These solutions can also block related malicious URLs. For small businesses, they can use Trend Micro Worry-Free™ Business Security to secure their systems against Banker and its related spam and URL components.

Indicators of compromise

These are the related SHA1 hashes:

  • fdcdf4d29be548504f4905901a1a662f96808637
  • ad3d6b1d1d7ba9626c141b54478eddaf5391c982

TSPY_BANKER.YWNPR is related to the following malicious URLs:

  • hxxp://200[.]98[.]142[.]12/system/MA-1.0.0.0/Ubuntu10.dll
  • hxxp://200[.]98[.]142[.]12/system/MA-1.0.0.0/IUpdate.dll
  • hxxp://200[.]98[.]142[.]12/system/MA-1.0.0.0/fbclient.dll