Threat Research

Malware authors go a step further to access bank accounts

Jan Širmer, 27 April 2015

Malware authors go a step further to access bank accounts

Malware authors like to play hide-and-seek. Hiding executable files inside PDFs and Microsoft Office documents then emailing them as attachments are nothing new, but sometimes one layer isn't enough. This Avast Virus Lab analysis peels back the layers of a new threat.

layers-banking-malware

Malware authors continually surprise us with their creativity. In an effort to trick banking customers into revealing the login credentials for their online account, cycbercrooks are using the trust people have in Microsoft Office to make them execute banking malware on their own computers. Here's how it works:

Typically, spam emails contain executable files that can harm a victim's computer and steal private information. In the layered version, they have PDFs or Microsoft Office documents attached that contain a malicious executable file. We recently found an email that had an added layer and decided to analyze the email.

The email, disguised as a financially-related message from a legitimate company, informed the recipient that an invoice was due and had a PDF file attached. Embedded inside the malicious PDF was a Microsoft Office document and simple java script that dropped and executed the DOC file.

pdf_jsInside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.

Macro_modules

When we analyzed the malicious macro code, we found some hints that helped us with our analysis. In this sample it was a function called MICHEL.

Functions

We already knew this function would open the URL with the malicious file, and when we found this function in one of the modules, we were able to find the download path.

Macro_downloader

The address is stored as a GUADALUPE variable. The URL is unique for each sample and leads to the download of a malicious PE file.

Macro_downloader_watch

The PE file would act as an information stealer, stealing login credentials from banking sites like

  • Santander, whose principal market is in the Northeastern United States
  • Ulster bank, based in Ireland
  • From Google accounts
  • Microsoft

How to protect yourself from banking malware

Our number 1 recommendation is keep your security software updated. Avast streams hundreds of updates every day to your devices, so you will stay protected. For example, the executable file downloaded by the malicious Microsoft Office document belongs to a banker family evolved from infamous Zeus. This variant is also known as a Dridex Botnet. At the time of writing this post, the botnet is still active, but the malware itself is inactive. Avast detects it as Win32: Pierre-A.

Clever cybercrooks use social engineering to manipulate their victims. Use extreme caution when opening emails related to your finances until you can verify the legitimacy.

Samples related to this analysis:

PDF virustotal

DOC virustotal

PE virustotal