TSPY_BANKER.NJH

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

• %User Temp%\google_chrome

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %User Temp%\Google Chome.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER
Google Chome = "%User Temp%\Google Chome.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware filename}.exe = "{malware path}\{malware filename}.exe:*:Enabled:google_chrome"

Process Termination

This spyware terminates the following processes if found running in the affected system's memory:

• GbpSV.exe

Information Theft

This spyware targets the following websites:

• Banco de Brasil
• Caixa
• HSBC Brasil
• Facebook
• PayPal
• Pagseguro
• Outlook

It gathers the following data:

• Username
• Password
• Name
• Data
• CPF
• Holder
• Agency
• Account

Other Details

This spyware connects to the following website to send and receive information:

• http://www.{BLOCKED}e.com.br/cartel/banca.php
• http://www.{BLOCKED}e.com.br/cartel/reg/{page}.php?value={value}

NOTES:

The value for {page} in the list of URLs it sends information to may contain any of the following:

• outlook
• facebook
• pagseguro
• pay
• amarelo
• preta
• azul

This spyware executes the following command to allow TCP/UDP connections:

cmd.exe /C netsh firewall add allowedprogram "{malware path}\{malware file name}.exe" google_chrome ENABLE

It shows an error once the file is executed.

It monitors the user's keystrokes and mouse clicks to steal information.

It monitors the browser activities of the affected system, specifically the title bar. It recreates a legitimate website with a spoofed login page if a user visits websites with the following strings in the title bar:

• Servicos Financeiros Pessoa Fisica | HSBC Brasil
• Caixa - A vida pede mais que um banco
• Entrar
• PagSeguro: Venda pela internet e receba pagamentos online facilmente
• Acesse Brasil - PayPal
• Bem-vindo ao Facebook - acesse, cadastre-se ou saiba mais.

It produces a message once any of the said websites were accessed. If the user is using Google Chrome, is automatically terminated.