Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Trojan Targets Banks in US, Mexico

Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.

Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.

The infostealer was first spotted in April, when it was targeting the customers of financial institutions in the United States and Mexico. Experts say the threat is currently being used against Banamex, Mexico’s second largest bank, but attackers can change the list of targets at any time by updating the malware’s configuration file. Zscale noted that the cybercriminals are pushing out new configuration files every 10 minutes.

The Trojan, written in .NET apparently by Spanish-speaking developers, caught the attention of researchers because it relies on popular tools such as Fiddler, an HTTP debugging proxy server application, and Json.NET, a high-performance JSON framework for .NET.

The malware is delivered using an installer named “curp.pdf.exe” that is served on several compromised websites. Once executed, the installer downloads three files to the Windows system directory: the main payload (syswow.exe), a Fiddler DLL file (FiddlerCore3dot5.dll), and a Json.Net DLL file (Newtonsoft.Json.dll). The main payload is then executed and the installer terminates itself.

The main infostealer payload first checks for the presence of the FiddlerCore3dot5.dll and Newtonsoft.Json.dll files. If they are not on the system, the malware downloads them from a location that is hardcoded in the binary.

If the infected machine is running Windows XP or Windows Server 2003, the malware creates a registry entry for persistence, downloads a configuration file, and launches the Fiddler proxy engine. For other Windows versions, the threat doesn’t create a registry entry, and it starts the proxy engine only after installing a Fiddler-generated root certificate.

Once it’s installed on a device, the malware collects system information and sends it back to its command and control (C&C) server, which responds with a configuration file containing different C&C locations and other instructions. Json.NET is used to parse the server’s response and save it in an XML file. This file contains the list of domains targeted by the malware — when users visit these domains, they are redirected to phishing websites designed to trick them into handing over their information.

The Trojan leverages Fiddler to intercept HTTP and HTTPS connections and redirect users to the phishing website. By using Fiddler, the attackers can make it look like the phishing page is hosted on the bank’s legitimate domain.

Advertisement. Scroll to continue reading.

Banamex phishing site

“The malware achieves this by adding x-overrideHost flag containing attacker’s Server IP address, if the domain name is on the target list in the C&C configuration file. This will cause Fiddler proxy engine to resolve the domain to the supplied IP address sending the victim user to a fake website,” Zscaler researchers explained in a blog post.

Related Reading: Banking Trojan Infections Plummeted 73% in 2015

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.