Tuesday, March 25, 2008

A Localized Bankers Malware Campaign

Just like the Targeted Spamming of Bankers Malware campaign that I exposed in November 2007, in this post I'll assess another targeted, but also localized to Portuguese campaign with a decent degree of cyber deception applied. It appears that the latest round has been spammed two days ago, but expanding their ecosystem reveals evidence of more bankers malware on behalf of the same malicious parties. What's particularly interesting about this campaign, is that they're using a hardcoded list of already breached email accounts of mostly Brazilian users, and using it as a foundation for the distribution of the malware under the clean IP reputation - which explains why the email makes it through anti-spam filters. The message impersonating Hotmail could have been easily outsourced as a translation process, as I've already pointed out in a previous post emphasizing on acquiring cultural diversity on demand for malicious malware, spam and phishing purposes. However, in this case it's more important to emphasize on the targeted nature of the campaign, and the use of a Russian free web space provider as a hosting provider for the malware.

Now on the cyber deception issue. Basically, you have a malware campaign targeting Portuguese speaking end users, that's been emailed using Brazilian mail servers through a set of hardcoded and already breached local email acounts, it's serving fake bank logins of a Portuguese bank, whereas the malicious parties are using a Russian free web space provider, front.ru in this case as a reliable and outsourced approach to host the malware malware. Is this an example of the maturing consolidation betweeen spammers, phishers and malware authors, or is someone trying to engineer cyber crime tensions? I'd go for the second, the command and control of this banker malware is hiding behind a fake image file, and is all in Portuguese, the way the emails where the stolen information or notifications per infection are descripted in Portuguese. Moreover, within several of the subdomains hosted at front.ru, there're also pages pushing bankers malware through a fake Apaixonado Big Brother Brazil 2008 pages. So you have a South American malicious party generating noise on behalf of Russia's overall bad reputation in respect to malware. Here are more details from this campaign :

Subject: Cancelamento de E-Mail
Message: "Ola usuario, informamos que no dia 24 de Marco de 2008, a Equipe Hotmail alterou o conteudo dos "Termos e Condicoes de uso" e por isso tem a obrigacao de comunicar este fato a todos os usuarios que utilizam frequentemente seu Windows Live ID. Seu Windows Live ID esta associado a sua conta Hotmail.com, caso nao aceite os novos "Termos e Condicoes de uso" podera perder sua conta. (Porque posso perder minha conta?) Li e aceito os termos e condicoes de uso Nao aceito os termos e condicoes de uso Atenciosamente, Equipe Hotmail"
Sent from: knight.bs2.com.br
Banker location: suport022.front.ru/flashcard/ list.exe

Scanners Result: 13/32 (40.62%)
TR/Spy.Banker.Gen; Trojan-Spy.Win32.Banker.JU
File size: 3339776 bytes
MD5: e00b1cd654b5b3fd5c8a1f5e71939a04
SHA1: cc11a030e868ece65769e177616cbebfb239bee6

It's also interesting to note that this campaign's been aiming to stay beneath the radar, not just by localizing the campaign itself and distributing the malware in a targeted nature, but by using a minimalistic spamming practices as you can see in the screenshot indicating a modest binary change in between three days or so. However, based on the identical mutex created by several different malware samples, and the free web space hosting provider used, I was able to locate more banker malwares created by the same malicious parties, again using front.ru as a hosting provider for more bankers malware under the following locations :

www-orkut-compronfiles-aspxuids-.front.ru/ lkjhgterri.com
www-orkut-compronfiles-aspxuids-.front.ru/ plugins.com
www-orkut-compronfiles-aspxuids-.front.ru/ remote.com
www-orkut-compronfiles-aspxuids-.front.ru/ pro.com
albumfotos.front.ru/ winupdate.exe
gsnet.front.ru/ gm.exe
informes2000.front.ru/ robin.exe

The cute part is that the malicious parties behind it allow anyone to take a peek at the list of breached email accounts and the associated passwords due to the usual misconfiguration on their server, allowing me to come up with the C&Cs update locations, predefined message to be included within upcoming campaigns, and the email addresses used for internal purposes, like the following -

IPs used in the C&Cs hiding behind .jpg files :

The fake bank logins locations found within the configuration :

Internal hardcoded email addresses :

receiver.guzano@ gmail.com
receiver.smtp@ gmail.com
ladrao.contatos@ gmail.com
urls.file@ gmail.com
receiver.guzano@ gmail.com

The bottom line, the campaign is well organized, primarily targeting Portuguese speaking end users, is being spammed from stolen email accounts, and has its malware hosted on a Russian free web space provider. Perhaps the only thing it's missing is a better segmented emails database that would have improved the success rate especially from a targeted perspective. As in the majority of malware campaigns, it's their common pattern that leads to the exposure of the entire ecosystem of who's who and what's what.