14 DAY TRIAL // One of the most proficient malware authors in Brazil has been tracked down by security researchers, who say that he created more than 100 banking Trojans since 2013, each one valued at more than $300 / €270.
The cybercriminal is not affiliated to a group and develops malicious software by himself. Trend Micro says that he is a 20-years-old Computer Science student from Tocantins who currently goes in the underground world by the alias Lordfenix.
Malware does not run smoothly on IE and Firefox
At the time of starting the cybercriminal life, the student used the alias “Filho de Hakcer” (a misspelled “hacker’s son”) and roamed hacker forums in search of advice for programming a piece of malware he was working on.
One of his creations, identified by Trend Micro products as TSPY_BANKER.NJH, can recognize the URL for a targeted bank when typed in the browser address bar and immediately closes the initial browser window and opens a new one with a spoofed version of the website presenting an error message to the user.
Malware analysts say that on Chrome the routine is almost unnoticeable, but on Internet Explorer and Firefox the original window is preserved along with the fake one.
“If the user enters his login credentials in the fake window, the malware sends the information back to the attacker via email - the same email address Lordfenix used during his ‘Filho de Hakcer’ days,” the researchers say.
Defense software disabled
Banks in Brazil recommend users to employ a security plugin called G-Buster to defend against information theft, but Lordfenix’s malware is capable of terminating its process, leaving the online banking session exposed.
While tracking the activity of the student, the researchers found that he offered fully functional variants of some of the Trojans free of charge, imposing a restriction for targeted banks. Anyone seeking to change the list was instructed to purchase the threat from him.