Bank Trojans in fax messages

Bitdefender analysts warn against a massive spam-wave installing the banking Trojan Director, who can turn tens of thousands of computers, unsuspecting users into machines to steal sensitive financial data. The threat uses a server-side polymorphism technique to bypass antivirus software. Polymorphic viruses are difficult to detect because their different samples do not look the same. Often, two samples of a given virus have nothing to do with each other. Malicious spam messages contain links to HTML files. These files, in turn, contain URL links to the deeply bounded Javascript code that issues the command to automatically download the zip archive from a remote location.

Interestingly, each downloaded archive contains a different name to deceive the antivirus software. This technique is called a server-side polymorphism and ensures that each downloaded file will be recognized as new.

To go a step further, the JavaScript code itself redirects the user to the fax service located on the website as soon as the archive has been downloaded.

The content of the archive looks like an average PDF file. It is actually an executable file with an icon usually assigned to a PDF file. They work as download software that copies onto our computer and launches a banking Trojan Dyzer, also known as Dyre.

Analysis of malicious software - Director

It was first met with him in 2014 and is similar to the notorious Zeus. It installs itself on the user's computer and becomes active only when the user uses specific functions contained on specific websites, sometimes these are the login pages of banking institutions or financial services.

Through a man-in-the-broswer attack, hackers are able to enter malicious Javascript that allows them to steal their credentials (login and pin password), which in turn gives them the opportunity to manipulate and manage their accounts in a completely undetectable way way. Thanks to the reverse engineering technique (where the product is researched in order to determine how it works exactly, and how and at what cost it was made), the researchers involved in the analysis of malware, managed to determine the list of targeted sites websites for this particular Trojan. The attack was targeted at clients of renowned financial and banking institutions from the USA, Great Britain, Ireland, Germany, Australia, Romania and Italy.

Despite the relative sophistication of the attack method, this technique still relies on the curiosity of the user to look into the generated archive and manually run its contents. A bit of caution can reduce the chances of your computer being infected. Here's what the example links to malicious software look like:

According to the Bitdefender laboratory, 30,000 malicious emails were sent in one day only from spam servers in the United States, Russia, Turkey, France, Canada and the United Kingdom. What may seem interesting, the attack campaign is called 2201us and seems to refer to the date of the attack, that is January 22 and the target country, that is the USA.

Bitdefender detects and blocks all threat elements such as: .js file, download program and executable file. The Trojan is detected as Gen: [email protected] We also urge users to avoid clicking unknown links in e-mail messages, especially when messages originate from unknown recipients. And we remind you about antivirus updates in terms of definitions of the latest viruses and threats, so that the program is still able to stop the attack targeting our computer.

This article was written based on spam samples provided courtesy Adrian Miron, a spam researcher at Bitdefender, Doin Cosovan, researcher of Bitdefender, who provided technical information from the virus analysis group Octavian Mine and Alexandre Maximciuc.

source: Bitdefender



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.