Researchers at Zscaler have come across a new information stealer Trojan that leverages legitimate tools to target online banking users.
The infostealer was first spotted in April, when it was targeting the customers of financial institutions in the United States and Mexico. Experts say the threat is currently being used against Banamex, Mexico’s second largest bank, but attackers can change the list of targets at any time by updating the malware’s configuration file. Zscale noted that the cybercriminals are pushing out new configuration files every 10 minutes.
The Trojan, written in .NET apparently by Spanish-speaking developers, caught the attention of researchers because it relies on popular tools such as Fiddler, an HTTP debugging proxy server application, and Json.NET, a high-performance JSON framework for .NET.
The malware is delivered using an installer named “curp.pdf.exe” that is served on several compromised websites. Once executed, the installer downloads three files to the Windows system directory: the main payload (syswow.exe), a Fiddler DLL file (FiddlerCore3dot5.dll), and a Json.Net DLL file (Newtonsoft.Json.dll). The main payload is then executed and the installer terminates itself.
The main infostealer payload first checks for the presence of the FiddlerCore3dot5.dll and Newtonsoft.Json.dll files. If they are not on the system, the malware downloads them from a location that is hardcoded in the binary.
If the infected machine is running Windows XP or Windows Server 2003, the malware creates a registry entry for persistence, downloads a configuration file, and launches the Fiddler proxy engine. For other Windows versions, the threat doesn’t create a registry entry, and it starts the proxy engine only after installing a Fiddler-generated root certificate.
Once it’s installed on a device, the malware collects system information and sends it back to its command and control (C&C) server, which responds with a configuration file containing different C&C locations and other instructions. Json.NET is used to parse the server’s response and save it in an XML file. This file contains the list of domains targeted by the malware — when users visit these domains, they are redirected to phishing websites designed to trick them into handing over their information.
The Trojan leverages Fiddler to intercept HTTP and HTTPS connections and redirect users to the phishing website. By using Fiddler, the attackers can make it look like the phishing page is hosted on the bank’s legitimate domain.
“The malware achieves this by adding x-overrideHost flag containing attacker’s Server IP address, if the domain name is on the target list in the C&C configuration file. This will cause Fiddler proxy engine to resolve the domain to the supplied IP address sending the victim user to a fake website,” Zscaler researchers explained in a blog post.
Related Reading: Banking Trojan Infections Plummeted 73% in 2015