Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Trojan Targets Banks in US, Mexico

Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.

Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.

The infostealer was first spotted in April, when it was targeting the customers of financial institutions in the United States and Mexico. Experts say the threat is currently being used against Banamex, Mexico’s second largest bank, but attackers can change the list of targets at any time by updating the malware’s configuration file. Zscale noted that the cybercriminals are pushing out new configuration files every 10 minutes.

The Trojan, written in .NET apparently by Spanish-speaking developers, caught the attention of researchers because it relies on popular tools such as Fiddler, an HTTP debugging proxy server application, and Json.NET, a high-performance JSON framework for .NET.

The malware is delivered using an installer named “curp.pdf.exe” that is served on several compromised websites. Once executed, the installer downloads three files to the Windows system directory: the main payload (syswow.exe), a Fiddler DLL file (FiddlerCore3dot5.dll), and a Json.Net DLL file (Newtonsoft.Json.dll). The main payload is then executed and the installer terminates itself.

The main infostealer payload first checks for the presence of the FiddlerCore3dot5.dll and Newtonsoft.Json.dll files. If they are not on the system, the malware downloads them from a location that is hardcoded in the binary.

If the infected machine is running Windows XP or Windows Server 2003, the malware creates a registry entry for persistence, downloads a configuration file, and launches the Fiddler proxy engine. For other Windows versions, the threat doesn’t create a registry entry, and it starts the proxy engine only after installing a Fiddler-generated root certificate.

Once it’s installed on a device, the malware collects system information and sends it back to its command and control (C&C) server, which responds with a configuration file containing different C&C locations and other instructions. Json.NET is used to parse the server’s response and save it in an XML file. This file contains the list of domains targeted by the malware — when users visit these domains, they are redirected to phishing websites designed to trick them into handing over their information.

The Trojan leverages Fiddler to intercept HTTP and HTTPS connections and redirect users to the phishing website. By using Fiddler, the attackers can make it look like the phishing page is hosted on the bank’s legitimate domain.

Advertisement. Scroll to continue reading.

Banamex phishing site

“The malware achieves this by adding x-overrideHost flag containing attacker’s Server IP address, if the domain name is on the target list in the C&C configuration file. This will cause Fiddler proxy engine to resolve the domain to the supplied IP address sending the victim user to a fake website,” Zscaler researchers explained in a blog post.

Related Reading: Banking Trojan Infections Plummeted 73% in 2015

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.