Threat Descriptions

Trojan-Spy:W32/Banbra.RM

Classification

Category :

Malware

Type :

Trojan-Spy

Platform :

W32

Aliases :

Trojan-Banker.Win32.Banbra.fvy, Trojan-Spy:W32/Banbra.RM, Gen:Trojan.Heur.@hZ@r59IYapOd

Summary

This type of trojan secretly installs spy programs and/or keylogger programs.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This trojan steals any information related to Brazilian Internet banking websites. The trojan uses a legitimate malware removal tool to maliciously remove some forms of security software that some Brazilian Internet banking websites require. The removal of the security software paves the way to allow the trojan to steal a user's credentials; the stolen credentials can then be forwarded to a remote server for further malicious use.The trojan targets popular Brazilian Internet banking websites, such as:

  • https://www.bancobrasil.com.br/
  • https://www.banrisul.com.br/
  • https://www.bradesco.com.br/
  • https://www.caixa.gov.br/
  • https://www.citibank.com.br/
  • https://www.credicardcitinovo.com.br/
  • https://internetbanking.caixa.gov.br
  • https://www.unibanco.com.br
  • http://www.santanderbanespa.com.br/

The trojan will also attempt to download and execute files from a remote server.

Execution

Upon execution, the trojan first drops a copy of itself as

  • %windir%\msnmsgsr.exe.

It then downloads and executes the legitimate removal tool, Avenger by Swandog. It also creates a number of files to facilitate the smooth execution of its activity. For example, %windir%\system32\drivers\workray.sys is a driver file used by Avenger to operate normally.

Avenger will be executed in quiet mode, using the tool's parameter, avenger.exe /nogui C:\systemX86.txt. The legitimate files that will be removed by Avenger are specified on the text file, C:\systemX86.txt. Of particular interest is GbPlugin, a program used by Brazilian banks to protect customers when they perform Internet banking transactions. Though normally difficult to remove, using the Avenger program allows the trojan to remove the GbPlugin at the next system startup or reboot. The following is a typical script used by Avenger to remove files:

Files to delete:

  • %systemdrive%\Arquivos de programas\GbPlugin\scpsssh2.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\gbiehuni.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\gbpdist.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\isg.gpc
  • %systemdrive%\Arquivos de programas\GbPlugin\uni.gpc
  • %systemdrive%\Arquivos de programas\GbPlugin\gbiehisg.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\GBIEHCEF.DLL
  • %systemdrive%\Arquivos de programas\GbPlugin\scpVista.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\gbiehabn.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\GBIEHABN.DLL
  • %systemdrive%\Arquivos de programas\GbPlugin\LOGOF.DLL
  • %systemdrive%\Arquivos de programas\GbPlugin\abn.gpc
  • %systemdrive%\Arquivos de programas\GbPlugin\AtmCap.ocx
  • %systemdrive%\Arquivos de programas\GbPlugin\gbpsv.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\GbpSv.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\GbpSrv.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\gbpsrv.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\gbieh.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\gbieh.dll
  • %systemdrive%\Arquivos de programas\GbPlugin\gbieh.gmd
  • %systemdrive%\Arquivos de programas\GbPlugin\bb.gpc
  • %systemdrive%\Arquivos de Programas\Scpad\scpMIB.dll
  • %systemdrive%\program files\Scpad\scpsssh2.dll
  • %systemdrive%\program files\Scpad\sshib.dll
  • %systemdrive%\program files\Scpad\scpIBCfg.bin
  • %systemdrive%\program files\Scpad\scpLIB.dll
  • %systemdrive%\program files\scpsssh2.dll
  • %systemdrive%\program files\gbiehuni.dll
  • %systemdrive%\program files\gbpdist.dll
  • %systemdrive%\program files\isg.gpc
  • %systemdrive%\program files\uni.gpc
  • %systemdrive%\program files\gbiehisg.dll
  • %systemdrive%\program files\GBIEHCEF.DLL
  • %systemdrive%\program files\gbiehabn.dll
  • %systemdrive%\program files\GBIEHABN.DLL
  • %systemdrive%\program files\LOGOF.DLL
  • %systemdrive%\program files\abn.gpc
  • %systemdrive%\program files\AtmCap.ocx
  • %systemdrive%\program files\gbpsv.exe
  • %systemdrive%\program files\GbpSv.exe
  • %systemdrive%\program files\GbpSrv.exe
  • %systemdrive%\program files\gbpsrv.exe
  • %systemdrive%\program files\gbieh.dll
  • %systemdrive%\program files\gbieh.gmd
  • %systemdrive%\program files\bb.gpc
  • %systemdrive%\program files\GbPlugin\Scpad\scpsssh2.dll
  • %systemdrive%\program files\GbPlugin\Scpad\sshib.dll
  • %systemdrive%\program files\GbPlugin\Scpad\scpIBCfg.bin
  • %systemdrive%\program files\GbPlugin\Scpad\scpLIB.dll
  • %systemdrive%\program files\GbPlugin\scpsssh2.dll
  • %systemdrive%\program files\GbPlugin\gbiehuni.dll
  • %systemdrive%\program files\GbPlugin\gbpdist.dll
  • %systemdrive%\program files\GbPlugin\isg.gpc
  • %systemdrive%\program files\GbPlugin\uni.gpc
  • %systemdrive%\program files\GbPlugin\gbiehisg.dll
  • %systemdrive%\program files\GbPlugin\GBIEHCEF.DLL
  • %systemdrive%\program files\GbPlugin\gbiehabn.dll
  • %systemdrive%\program files\GbPlugin\GBIEHABN.DLL
  • %systemdrive%\program files\GbPlugin\LOGOF.DLL
  • %systemdrive%\program files\GbPlugin\abn.gpc
  • %systemdrive%\program files\GbPlugin\AtmCap.ocx
  • %systemdrive%\program files\GbPlugin\gbpsv.exe
  • %systemdrive%\program files\GbPlugin\GbpSv.exe
  • %systemdrive%\program files\GbPlugin\GbpSrv.exe
  • %systemdrive%\program files\GbPlugin\gbpsrv.exe
  • %systemdrive%\program files\GbPlugin\gbieh.dll
  • %systemdrive%\program files\GbPlugin\gbieh.gmd
  • %systemdrive%\program files\GbPlugin\bb.gpc
  • %windir%\scpVista.exe
  • %windir%\gbpsv.exe
  • %windir%\gbpsrv.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\GbpSrv.exe
  • %systemdrive%\Arquivos de programas\GbPlugin\scpVista.exe
  • %systemdrive%\avenger.txt

Folders to delete:

  • %systemdrive%\program files\GbPlugin\
  • %systemdrive%\Arquivos de programas\GbPlugin\ %systemdrive%\program files\Scpad\ %systemdrive%\Arquivos de programas\Scpad\

The script is stored on %windir%\system32\awou.txt. After successfully deleting the targeted files, the text file C:\avenger.txtis created, containing the log of the removal process. Finally, the cleanup script, C:\cleanup.bat, will delete the backup files created by Avenger.

Data Stealing

Once the security measures are removed, the trojan can proceed to its data stealing routine. When the user browses a targeted online banking website, the trojan is able to inject malicious HTML into the webpage. The injection allows the trojan to capture keystrokes the user enters into the log-in fields of the website, essentially stealing the user's credentials.The stolen credentials are then sent to a number of email addresses registered under VFEmail and Inbox.com:

  • h3llm45t[...]@vfemail.net
  • h3llm45t[...]@vfemail.net
  • jaodas[...]@inbox.com

File System Changes

Creates these files:

  • %windir%\msnmsgsr.exe
  • %windir%\system32\avenger.exe
  • %windir%\system32\awou.txt
  • %windir%\system32\Enviou2u2u.txt
  • %windir%\system32\drivers\workray.sys
  • %temp%\bloreg222a
  • %temp%\blokil2a
  • C:\Documents
  • Settings\All Users\Start Menu\Programs\Startup\avg.exe
  • C:\cleanup.bat
  • C:\cleanup.exe
  • C:\systemX86.txt
  • C:\zip.exe

Process Changes

Creates these processes:

  • %windir%\system32\cmd.exe
  • %windir%\system32\netsh.exe

Network Connections

Attempts to download files from:

  • http://www.paeksan.com/technote/[...].jpg

Attempts to connect with HTTP to:

  • http://www.natafeliz.my-webs.org/[...].php

Registry Modifications

Sets these values:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] Msn = C:\WINDOWS\msnmsgsr.exe
  • [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] EnableFirewall = 00000000

Creates these keys:

  • [HKLM\Software\Microsoft\Tracing\FWCFG ]