Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Trojan Targets Banks in US, Mexico

Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.

Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.

The infostealer was first spotted in April, when it was targeting the customers of financial institutions in the United States and Mexico. Experts say the threat is currently being used against Banamex, Mexico’s second largest bank, but attackers can change the list of targets at any time by updating the malware’s configuration file. Zscale noted that the cybercriminals are pushing out new configuration files every 10 minutes.

The Trojan, written in .NET apparently by Spanish-speaking developers, caught the attention of researchers because it relies on popular tools such as Fiddler, an HTTP debugging proxy server application, and Json.NET, a high-performance JSON framework for .NET.

The malware is delivered using an installer named “curp.pdf.exe” that is served on several compromised websites. Once executed, the installer downloads three files to the Windows system directory: the main payload (syswow.exe), a Fiddler DLL file (FiddlerCore3dot5.dll), and a Json.Net DLL file (Newtonsoft.Json.dll). The main payload is then executed and the installer terminates itself.

The main infostealer payload first checks for the presence of the FiddlerCore3dot5.dll and Newtonsoft.Json.dll files. If they are not on the system, the malware downloads them from a location that is hardcoded in the binary.

If the infected machine is running Windows XP or Windows Server 2003, the malware creates a registry entry for persistence, downloads a configuration file, and launches the Fiddler proxy engine. For other Windows versions, the threat doesn’t create a registry entry, and it starts the proxy engine only after installing a Fiddler-generated root certificate.

Once it’s installed on a device, the malware collects system information and sends it back to its command and control (C&C) server, which responds with a configuration file containing different C&C locations and other instructions. Json.NET is used to parse the server’s response and save it in an XML file. This file contains the list of domains targeted by the malware — when users visit these domains, they are redirected to phishing websites designed to trick them into handing over their information.

The Trojan leverages Fiddler to intercept HTTP and HTTPS connections and redirect users to the phishing website. By using Fiddler, the attackers can make it look like the phishing page is hosted on the bank’s legitimate domain.

Banamex phishing site

“The malware achieves this by adding x-overrideHost flag containing attacker’s Server IP address, if the domain name is on the target list in the C&C configuration file. This will cause Fiddler proxy engine to resolve the domain to the supplied IP address sending the victim user to a fake website,” Zscaler researchers explained in a blog post.

Related Reading: Banking Trojan Infections Plummeted 73% in 2015

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.