English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.1
 

We just received a spam message in Portuguese stating the following:
 

In short, this message says that WhatsApp for PC is finally available and that the recipient already has 11 pending invitations from friends in his account. This is what the email looks like:
 

Incidents|Trojan ChePro, the CPL storm

Fabio Assolini
Kaspersky Lab Expert
Posted December 27, 12:37  GMT
Tags: Internet Banking, Malware Technologies
0.3
 

Malware using the .CPL extension is nothing new for us, but it’s still interesting that almost all the banking malware currently originating in Brazil is distributed in this format. It doesn't matter whether it's a drive-by download or a simple attack based on social engineering, users find themselves at the epicenter of a real CPL storm every day. We decided to look into this trend and find out why Brazilian cybercriminals now favor this approach.

CPL files are applets used in Windows Control Panel. Once executed, rundll32.exe is used to launch a wide variety of actions defined in DLLs. Among the many things it can do is invoking Control Panel applets. When Windows first loads a Control Panel item, it retrieves the address of the CPlApplet() function and subsequently uses that address to call the function and pass messages to it.

Each cybercriminal has a preferred modus operandi to distribute this kind of malware. Most of them like to put the CPL file inside a ZIP, but we have also found it inserted inside RTF files. This kind of malware belongs to the Trojan-Banker.Win32.ChePro family, first detected in Russia in October 2012.

 
Typical distribution of ChePro samples: inside a ZIP file

0.2
 

Introduction

Today we got a spam message with a fake e-card in Portuguese leading to an interesting piece of malware:


Header translation: You got a Christmas e-card. Somebody very special has sent this Christmas e-card for you. In case you are not able to visualize it, click here. Much better than any present is a happy family.

0.4
 

The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared – but we didn’t expect it to happen quite so soon.

That’s because cybercriminals don’t actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers – even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.

Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And it’s turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.

Incidents|Mule Flood in Japan

Michael
Kaspersky Lab Expert
Posted September 06, 07:05  GMT
Tags: Internet Banking, Social Engineering, Identity Theft, Electronic Payments
0.3
 

Money mule recruitment emails are nothing new, for years these have been spammed out all over the globe. What is new though is the recent wave aimed at “English-speaking Japanese residents”. It started at the end of July and we have received hundreds of such themed spam emails since then.

The content typically promises an easy job, just requiring some hours per week with very few other requirements.
0.1
 

Last week, GReAT LatAm participated in the 3rd Latin American Security Analysts Summit, which took place in Cancun, Mexico.

0.2
 

Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.

In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.

In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.

The following diagram shows multiple instances used by the second generation of Jumcar:

Some .NET instances used by a variant of the first generation of Jumcar


0.4
 

Jumcar” is the name we have given to a family of malicious code developed in Latin America – particularly in Peru – and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries
0.6
 

It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

  • Trojan-Spy.Win32.Lurk
  • Trojan-Banker.Win32.iBank
  • Trojan-Banker.Win32.Oris
  • Trojan-Spy.Win32.Carberp
  • Trojan-Banker.Win32.BifiBank
  • Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.


Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.

0.4
 

After the recent emergence of the criminal PiceBOT in Latin America, AlbaBotnet has joined the growing ranks of regional IT crime. It revolves around online pharming, with a view to delivering targeted phishing attacks which steal information from the online accounts of two major Chilean banks.

According to the data we have processed, this campaign is part of a trial stage of this botnet: up to now there has been no monetization of AlbaBotnet. We do know that the author of this threat began testing it in early 2012.

The botnet appears to have a similar structure to its Latin American counterparts. As well as the default automated malware builder, it includes a package which automatically sends emails. Thus, the botmaster can customize infection campaigns through the classic mechanisms of visual social engineering: