Figure 1. Homemade browser adUsers that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.) The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The "plugin" actually steals the user's bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):
Figure 2. Strings used to spoof the User-Agent headerIt's also worth noting that this homemade browser doesn't even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank's site.
Figure 3. The homemade browser accessing the mobile Banco de Brasil siteThis is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians. One more thing to note. The author of this "browser" also created a version of BANCOS that ""outsourced" its distribution to lower level cybercriminals.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.