As the world pay attention to Brazil and the World Cup, cyber criminals are working to make some profit by using basic (but effective) way to attract users to open emails that were not caught by the anti spam engine. Yesterday I received one email that was promising to give away the equivalent of U$ 136 thousand dollars (around 300 thousand Brazilian Reais) if I won this draw. All I needed to do was to click the “I want” (Eu Quero) button (in red) as shown the image below (in Portuguese):
The sender of this email was a friend of mine, and I knew he will never send an email like that, therefore I knew also his account was probably compromised. Once I pointed the cursor to the “I want” button I noticed that it was redirecting me to the following link:
I decided to open this link in an isolated lab environment (behind my great and old friend TMG) to see what it will happen when I click this link. The result was the attempt to download the file below:
Fair enough, I extracted the file to see what it was in there and found the file below:
Notice the attempt to entice the user to open the file by changing the icon to look like a PDF file, however the file has the SCR extension. This is also a common method used by criminals to encapsulate malware inside of a different file format. I used IDA PRO to open this file and look to some instructions within this file and noticed that it was trying to open a registry key (HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\). Since I didn’t have too much time to play around and see more in depth instructions I decided to run the AV and see what it will get. The result is shown below:
This is the TrojanDownloader:Win32/Banload, very common in Brazil and the goal of this trojan is to steal banking credentials and other sensitive data, and send it back to a remote attacker. It make sense that I saw the attempt to open the registry key, because as shown at the Microsoft Malware Protection Encyclopedia, this Trojan will modify the system registry so that its dropped EXE file appears to be a legitimate Windows file, for example:
Adds value: "drvrnet"With data: "%TEMP%\drvrnet.exe"To subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Be careful out there and if you receive any suspicious email on your Outlook or Hotmail account, make sure to report using the procedure from this link.
This still show one thing: Why does Windows - even the latest versions - have "Hide extensions of know file types" checked. So instead of seeing thisisatrojan.pdf you would see thisisatrojan.pdf.exe.
This was not an EXE file, matter of fact you can see in the screenshot that the extension wasn't hidden, it is there (SCR file), however they tricked the file to appear with PDF icon for the system.