Hi to all!
Today I will speak very briefly about a new threat that affects banks. Specifically the Brazilian bank
Bradesco [hxxp://www.bradesco.com.br/].
Some info about the Bradesco Bank:
Type: Public (BM&F Bovespa:BBDC3 / BBDC4 NYSE: BBD BMAD: XXBDC)
Industry: Finance and Insurance
Founded: 1943
Headquarters: Osasco, Brazil
Key people: Luiz Carlos Trabuco Cappi (CEO) Lázaro de Mello Brandão (Chairman of the Board of Directors) Antônio Bornia (Vice-Chairman of the Board of Directors)
Products: Banking
Revenue: ▲US$ 36.1 Billion (2009)
Net income: ▲US$ 4.5 Billion (2009)
Total assets: ▲US$ 299.0 Billion (2010)
Employees: 85,577
The Trojan banker in question is called, in according to the nomenclature of the antivirus houses;
Trojan.Banker.Delf.ZLR.
Before I start talking about what makes the virus, I give you some general information about the target, such as: the geometry of the PE format, any packer/compressed/Cryptor, etc...
The threat, at the time of this writing, is recognized by
15/41 AV as suggested by VirusTotal.
Hash MD5:
fc3f089f7d64eb4dcc7113c5add3bda7Hash SHA-1:
ae521a311bde3667d7bcb74460b4a6e92a8cd2c8Imports:
advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
oleaut32.dll
user32.dll
version.dllSections:
UPX0
UPX1
.rsrcThere is also the presence of
TLS Directory, so if anyone wants to analyze this virus more in depth must keep in mind to ensure that, going to make a dynamic analysis through a debugger like OllyDbg need to configure the debugger so that it stops before the
TLS Callback to prevent any action that the virus anticipates before it goes to the OEP.
It's easy to understand that the file is packed with the very common free compressor UPX. Since it is so let's go to decompress it. I did through the splendid suite of Ntoskrnl
Explorer Suite which also includes a UPX utility for this purpose.
Immediately after decompressed the file, analyzing it with a PE Scanner, such as PEiD or RDG Packer Detector, and we note that is written in
Delphi. Another info which is very helpfull in most cases but not in this specific sample. In Malware Analysis more info we can get from target study and much easier is to analyze our target.
As I already said, this virus is one of those classics that tries to steal the credentials of the bank accounts of the poor unfortunate. That's why they are called Trojans Banker ;). Trojan.Banker.Delf.ZLR essentially does nothing special. Basically is a
fake program was created specifically to belive you need to perform banking transactions directly from your PC.
It consists of a classical form which contains 3 special edit for entering your bank account and a way to "
simulate" the installation of this false account management program. But let's go to see how it is made:
When the victim had entered the bank account details, click on "
Instalar" notice that will be simulated to download a dll. I say
simulated because it actually does not download any dll, as you can check by running Wireshark while performing these steps, which shows no
GET request from any site, but also going to search for the name
ib2k1.dll find anything on the system. All this is done only to make the installation process look better.
Simulated the download of this dll, we get the form to enter your account credentials, such as the account holder, password and secret word. This is then sent to the site who created the fake program to steal these credentials.
Between the strings contained by the file I found very interesting two particular things: a URL and a sentence, respectively,
http://firefoxxx.t35.com/Dario.envio.desco.phpBradesco by D4RiOWhat we understand is that he who created the software is called
Dario and the URL that contact is:
http://firefoxxx.t35.com/Dario.envio.desco.phpHere a screenshot about:
Then we come to form of the credit card owner. In this form must be included the last
three digits of its Credit Card Number and press
Confirm to send everything that was stored by the program to the URL mentioned above.
For this time it's all guys. See you at the next post. =)
