TSPY_BANKER

 Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Spammed via email, Downloaded from the Internet, Dropped by other malware


BANKER variants may arrive on a system via spammed email messages, or as a file dropped by other malware or unknowingly downloaded by the user when visiting malicious sites.

BANKER malware attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post. The stolen information could also be used to automatically transfer money to a predetermined bank account.

The BANKER malware family is known for stealing account information from users of certain financial institutions. In 2011, BANKER malware became so prevalent that law enforcement agencies have issued a bulletin warning users about its existence.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This spyware drops the following files:

  • %Windows%\wnetsock08.dll
  • %Windows%\Media\AuxImgDll.dll
  • %Current%\AuxImgDll.dll
  • %Current%\Emails.dat
  • %Current%\upset1.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following copies of itself into the affected system:

  • %Windows%\Media\HPMedia.exe
  • %Current%\{malware filename}_OLD.jmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename}.exe = "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
DrvStart = "%Windows%\Media\HPMedia.exe"

Other Details

This spyware connects to the following possibly malicious URL:

  • www.{BLOCKED}opliquidation.co.za
  • www. {BLOCKED}ventos.com.br
  • {BLOCKED}ncaprivativa.com.br
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}-10. {BLOCKED}i.com/config.txt
  • http:// {BLOCKED}9-10{BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • htt :// {BLOCKED}6. {BLOCKED}1.238.89/upd/crss7_V855.exe
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/crss7_V855.exe
  • http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
  • http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
  • http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
  • http:// {BLOCKED}10. {BLOCKED}e.com/config.txt
  • http:// {BLOCKED}teinformatica1. {BLOCKED}ecity.com/configs.jpg
  • {BLOCKED}toneagles.net
  • {BLOCKED}br.teliumhosting.com.br
  • {BLOCKED}iadopovo.inf.br
  • {BLOCKED}s-order.ru
  • {BLOCKED}orldgames.com.br
  • {BLOCKED}77. {BLOCKED}-oficial.ws
  • {BLOCKED}s.net
  • {BLOCKED}tphp.com
  • {BLOCKED}fyuz.net
  • {BLOCKED}logische-praxis-schuler.de
  • {BLOCKED}emas.com
  • {BLOCKED}ncaprivativa.com.br
  • {BLOCKED}wopen.sitepessoal.com
  • {BLOCKED}i.lycos.it
  • {BLOCKED}unicaobr.com
  • www. {BLOCKED}b. {BLOCKED}s.it
  • www. {BLOCKED}ergy.com
  • www. {BLOCKED}-book.ru
  • www. {BLOCKED}fredericosp.com
  • www. {BLOCKED}uca.net
  • www. {BLOCKED}juridicovivo.adv.br
  • www. {BLOCKED}a.com
  • www. {BLOCKED}u.hu
  • www. {BLOCKED}ventos.com.br
  • www. {BLOCKED}l.com.br
  • www. {BLOCKED}goforex.com
  • www. {BLOCKED}video.nl
  • www. {BLOCKED}taanet.com.br
  • www. {BLOCKED}set.com
  • www. {BLOCKED}t.fr
  • www. {BLOCKED}-pictures.ch
  • www. {BLOCKED}arwebmotorsltda.com
  • www. {BLOCKED}ly.com
  • www. {BLOCKED}decidadania.org
  • www. {BLOCKED}i.com.br
  • www. {BLOCKED}ndo.info
  • www. {BLOCKED}obirindelli.com.br
  • www. {BLOCKED}ferre.pessoal.ws
  • www. {BLOCKED}design.co.kr
  • www. {BLOCKED}ejomusicas.com
  • www. {BLOCKED}x.com.br
  • www. {BLOCKED}zz.com
  • www. {BLOCKED}k.com
  • www. {BLOCKED}wushu.at
  • www. {BLOCKED}floralameda.com
  • www. {BLOCKED}cartao766.web.br.com
  • www. {BLOCKED}fdance.msk.ru
  • www. {BLOCKED}e.com