A brief analysis about Trojan.Banker.Delf.ZLR

Hi to all!

Today I will speak very briefly about a new threat that affects banks. Specifically the Brazilian bank Bradesco [hxxp://www.bradesco.com.br/].

Some info about the Bradesco Bank:


Type: Public (BM&F Bovespa:BBDC3 / BBDC4 NYSE: BBD BMAD: XXBDC)

Industry: Finance and Insurance

Founded: 1943

Headquarters: Osasco, Brazil

Key people: Luiz Carlos Trabuco Cappi (CEO) Lázaro de Mello Brandão (Chairman of the Board of Directors) Antônio Bornia (Vice-Chairman of the Board of Directors)

Products: Banking

Revenue: ▲US$ 36.1 Billion (2009)

Net income: ▲US$ 4.5 Billion (2009)

Total assets: ▲US$ 299.0 Billion (2010)

Employees: 85,577

The Trojan banker in question is called, in according to the nomenclature of the antivirus houses; Trojan.Banker.Delf.ZLR.

Before I start talking about what makes the virus, I give you some general information about the target, such as: the geometry of the PE format, any packer/compressed/Cryptor, etc…

The threat, at the time of this writing, is recognized by 15/41 AV as suggested by VirusTotal.

Hash MD5: fc3f089f7d64eb4dcc7113c5add3bda7

Hash SHA-1: ae521a311bde3667d7bcb74460b4a6e92a8cd2c8

Imports:

advapi32.dll

comctl32.dll

gdi32.dll

kernel32.dll

oleaut32.dll

user32.dll

version.dll

Sections:

UPX0

UPX1

.rsrc

There is also the presence of TLS Directory, so if anyone wants to analyze this virus more in depth must keep in mind to ensure that, going to make a dynamic analysis through a debugger like OllyDbg need to configure the debugger so that it stops before the TLS Callback to prevent any action that the virus anticipates before it goes to the OEP.

It’s easy to understand that the file is packed with the very common free compressor UPX. Since it is so let’s go to decompress it. I did through the splendid suite of Ntoskrnl Explorer Suite which also includes a UPX utility for this purpose.

Immediately after decompressed the file, analyzing it with a PE Scanner, such as PEiD or RDG Packer Detector, and we note that is written in Delphi. Another info which is very helpfull in most cases but not in this specific sample. In Malware Analysis more info we can get from target study and much easier is to analyze our target.

As I already said, this virus is one of those classics that tries to steal the credentials of the bank accounts of the poor unfortunate. That’s why they are called Trojans Banker ;). Trojan.Banker.Delf.ZLR essentially does nothing special. Basically is a fake program was created specifically to belive you need to perform banking transactions directly from your PC.

It consists of a classical form which contains 3 special edit for entering your bank account and a way to “simulate” the installation of this false account management program. But let’s go to see how it is made:

When the victim had entered the bank account details, click on “Instalar” notice that will be simulated to download a dll. I say simulated because it actually does not download any dll, as you can check by running Wireshark while performing these steps, which shows no GET request from any site, but also going to search for the name ib2k1.dll find anything on the system. All this is done only to make the installation process look better.

Simulated the download of this dll, we get the form to enter your account credentials, such as the account holder, password and secret word. This is then sent to the site who created the fake program to steal these credentials.
Between the strings contained by the file I found very interesting two particular things: a URL and a sentence, respectively,

http://firefoxxx.t35.com/Dario.envio.desco.php

Bradesco by D4RiO

What we understand is that he who created the software is called Dario and the URL that contact is: http://firefoxxx.t35.com/Dario.envio.desco.php

Here a screenshot about:

Then we come to form of the credit card owner. In this form must be included the last three digits of its Credit Card Number and press Confirm to send everything that was stored by the program to the URL mentioned above.

For this time it’s all guys. See you at the next post. =)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: