Zscaler warns of new Spy Banker Trojan
Zscaler warns of new Spy Banker Trojan

Zscaler has reported that its ThreatLabZ has been closely monitoring a new Spy Banker Trojan targeting Portugese-speaking users in Brazil.

Before dismissing this as yet another banking trojan story it is worth taking a quick note that the malware authors are using Google Cloud Servers to host the malware. This use of the cloud is not the first nor the most sophisticated that we have seen from cyber criminals. There are already proven cases of them using the cloud for advanced analytics and even in-memory databases to crack passwords and attack corporate networks.

How does Spy Banker work?

Like all banking trojans it steals bank details, passing them on to other people and makes it possible for them to steal money from users. How it does it is relatively simple.

It starts by using a range of social engineering attacks such as offering coupon vouchers and free software applications. Coupons are readily accepted by a lot of people who hope to save money.

Meanwhile the free software applications plays to a wider market that has become used to using cracked software and stolen registration keys to avoid paying licence fees. While some might feel doing so and then being caught by malware is their comeuppance, the worrying thing is the number of people who not only use illegal software but think nothing of using it on the Bring Your Own Device (BYOD) they use for work.

While Microsoft and Adobe are among the most popular software vendors to have their software used in this way there is also a lot of security software that is infected and offered for free. Setting aside the irony of using stolen security software the sense of false protection it offers can be devastating for a small businesses.

Among the software being used by Spy Banker is Avast antivirus. However, it is also using mobile apps such as WhatsApp which is something we haven’t really seen much of before. Most mobile app malware tends to be game related rather than hacked versions of well used apps such as WhatsApp. What is not clear from the Zscaler report is whether any user trying to install the hacked version on a non-jailbroken iOS device would be protected.

Unsurprisingly Facebook and Twitter are the main way of spreading the malware. The criminals use links to websites which are passed around as a shortened URL. It is good practice when presented with one of these to paste it into a URL checker such as LongURL which will expand the URL and make it easier to check to ensure it is safe. The URL takes the user to a website where they are taken to a Google Cloud Server that then downloads the malicious payload.

An alternative infection vector is the use of a drive by download where the user simply ends up on a website which immediately pushes the malware to their device. The user doesn’t have to do anything at all to trigger the attack apart from visit the site.

Users thought they were downloading a tax return form

In the example given in the Zscaler report, it shows how the user is taken to a site, redirected to a location where a file downloads the Spy Banker Downloader Trojan payload. The payload contains the Spy Banker Telax malware which is hidden inside an executable file that pretends to be a tax return form. When the user executes the file the trojan is installed on their computer.

Over 103,000 user clicks were recorded for this particular infection method in a 10 day period at the end of October.  Zscaler claims that the majority of these, over 101,000 started out following a link spread across Facebook.

It is not just Google Cloud servers that are being used for this. Zscaler lists five websites it says are involved in distributing the malware. At the time of writing, GoDaddy has repossessed four of the sites and deactivated them. The last site has been registered by a user that Zscaler names as kleyb maxbell. That same user apparently has another domain that is redirecting users to a Google Cloud Server that was serving up the malicious payload.

Zscaler notes that Google has cleaned up and closed the cloud servers that it has identified and stopped them infecting more computers.

What does Spy Banker Trojan Telax do?

There is a good breakdown by Zscaler in their report walking the reader through an analysis of the Spy Banker Trojan Telax malware. It names files that are used by the malware and the modules that it uses. It also describes what these modules do, such as detecting any antivirus software installed on the computer.

The information sent by Telax to the remote Command & Control (C&C) server is also listed. It is not clear from the information given as to whether that information is encrypted and how easy it would be for network administrators to use real-time filtering to detect the data in packets. If it can be detected then it would be possible to use that information to shutdown the infected computer and begin the process of cleaning it.

With many of the security firms providing details on the C&C servers associated with different attacks, it is time that IT Security teams began to use that to monitor the network. They would quickly get information about the connection between computers and the C&C network allowing them to protect the user and the company from further infection and damage.

Conclusion

As with all Zscaler reports there is a lot of useful information for IT Security teams. The type and nature of the attack are well documented and for companies with a good internal communications network, they should be able to track malware infections as they occur.

The biggest concern here for many will be the ease with which the malware is spread via false coupon messages and hacked software that users were willing to pirate. This is a message that must be passed on by IT Security and even the corporate PR teams to users.

There is also a message here for users, business units and even IT departments. The cloud is becoming just as useful a resource for cyber criminals as it is for enterprises and users. IT has to do a better job of tracing cloud usage and engaging with users to ensure that all cloud connections are legitimate and of an enterprise security quality. Without that there will always be suspicions that the cloud is a problem and that will just continue to perpetuate the current stalemate between many IT teams and their users when it comes to adopting and taking advantage of cloud.

LEAVE A REPLY

Please enter your comment!
Please enter your name here