Cybersecurity researchers discovered a banking Trojan which is new of its kind in the market. The trojan exploits an authentic VMware binary to deceive security tools into accepting errant activity.
Cisco Talos said that the researchers recently observed the new malware campaign in Brazil. The operation targets the South American banking sector and attempts to pilfer the personal details of users for illegal financial profiteering.
The Trojan appears to be a legitimate process, and it was found that the malware also uses a wide range of sophisticated techniques to stay dormant. In addition to masquerading as a legitimate process, the Trojan uses a wide range of techniques to stay hidden.
You may be interested in reading: ATM Malware ATMii Capable of Dispensing Cash by Hijacking Legitimate Process
How does the Trojan Infect You?
The new banking Trojan campaign initiates the process by widely sending spam messages which are written in Portuguese, predicting that users will be easily tempted to open an email written in their native language. The criminals use these emails to entice individuals to open a Boleto invoice, a popular Brazilian payment method.
The invoice contains a malicious file with a URL when clicked is redirected to a goo.gl URL shortener. Then users are redirected to RAR library which contains a JAR file.
When double-clicked that JAR file a java file will be loaded and execute the malicious code and installs the banking trojan.
Java code establishes a link between the remote server and system to download additional files. The code then renames the downloaded binaries and execute a genuine binary from vm.png from VMware which is signed with a VMware digital signature.
Read more on: Cyber Espionage and Network Infrastructure Security
One of the dependencies of the executed binary is vmwarebase.dll which is a malicious file used to inject and execute the prs.png code in explorer.exe or in notepad.exe.
This loads the main module of the banking trojan which contains many features. The module creates an autostart registry key and can find out whether users are interacting with any financial institutions in Brazil by using the list in the module which contains targeted financial institution in Brazil.
Another task done by the main module is to execute the last binary gps.png (renamed previously with the .drv extension) with rundll32.exe. This binary is packed with a protection tool which makes it difficult to unpack the threat.
You may be interested in reading: FormBook, a new Malware Spreading in US & S.Korea! Spotted by FireEye Researchers!