Jumcar is the name we have given to a family of malicious code developed in Latin America particularly in Peru and which, according to our research, has been deploying attack maneuvers since March 2012.
After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.
Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.
We know that in Latin America the cyber-criminal culture is expanding at great speed. This is evidenced by some of the botnets managed through crimeware developed in the region, which also have the ability to generate customized malware. The botnets we have discovered over the past two years have this capability and we have warned about them at different times. These include vOlk-Botnet, UELP, Chimba-Botnet, AlbaBotnet and PiceBOT.
However, the Jumcar family of malware has completely different characteristics and very particular components compared to those previously mentioned. They share the same goal: to steal financial information; and a common initial infection strategy: email associated with a strong visual social engineering based on false messages.
From a technical perspective, for the moment all variations of this family of malware are developed in .NET, while the usual pattern around malware developed in Latin America (excluding Brazil) is developing malicious projects in VisualBasic.
Likewise, and contrary to common patterns in Latin American malware that obfuscate part of his code through simple hexadecimal conversions, all the Jumcar variants use symmetric and asymmetric cryptographic algorithms to hide the functionality specified in the source code. For this, the malware uses the following classes: System.Security.Cryptography.TripleDES, System.Security.Cryptography.Aes y System.Security.Cryptography.RSA.
The images below highlight the difference in the malware obfuscation implemented in the most popular botnets in the region, compared to the obfuscation used by Jumcar:
The patterns that distinguish this family of malware are:
The propagation campaigns are compatible with classical visual social engineering strategies that rely on sending fraudulent emails, using two different channels of attack:
All variants of Jumcar are hosted on previously compromised websites. In other words, the attacker does not register domain names as part of the strategy of propagation.
They also implant a phishing pack used to steal information from unsuspecting users. This includes a plain text file with the configuration for the hosts file on each of the victim machines, the mass-mailer used to send large volumes of deceptive emails, and a backdoor that allows the attacker to access and upload new variants of the malware.
Jumcar has had a high impact in recent months and has been geographically focused. In the following chart we can clearly see, in red, that the levels of infection have been most successful in Peru and Chile:
We analyzed over 50 samples belonging to the Jumcar family. This allowed us to collect a large volume of data of interest that we will share in the coming days.
The different variants are detected by Kaspersky Lab as Trojan.Win32.Jumcar and "Trojan.MSIL.Jumcar".
2013 May 20, 18:58
Hi Jorge Mieres
2013 May 20, 20:35
Hi Mark, thanks for your comment. I don't think that Jumcar variants are propagated in other continents because it just focused in Latam.
2013 Jun 02, 21:21