Avast experts have analyzed an interesting piece of malware

Mar 20, 2013 12:41 GMT  ·  By

Security firm Avast has published a report on an interesting banking Trojan that’s currently targeting the customers of 23 financial institutions and 5 e-commerce systems from Brazil.

Despite the fact that the malware is not very sophisticated, it is highly efficient at making money for the cybercriminals that control it.

One of the most interesting aspects of this piece of malware is that its components have been signed with valid digital certificates.

Unlike other threats, signed with stolen or modified certificates, the authors of this banking Trojan have set up new companies for which they’re requested digital certificates from COMODO and DigiCert.

The companies for which the certificates have been issued are registered with bogus information, so the crooks cannot be tracked down. To make the certificates more legitimate-looking, they use names similar to the ones of companies that develop bank security software.

Initial versions of the malware, first identified at the beginning of 2010, only had one module targeting just a small number of banks. It wasn’t signed with digital certificates and it could be easily reverse-engineered.

However, since they were allowed to improve their creation without being interrupted, the authors later added 2 modules – one to target a larger number of organizations, and one to improve browser hijacking via a Dynamic Data Exchange (DDE) interface.

The latest version includes anti-debug mechanisms, encryption, and HTTPS/SSL support for downloads.

The malware, written in Delphi, is distributed via emails or direct links, users being lured to it with Flash animations, PowerPoint presentations and PDF documents. While the victim is presented with the decoy file, the Trojan’s modules are installed.

Once the components are installed, no additional clicks are required from the victim. The malware simply checks the browser’s address bar and injects pieces of code into the webpage when certain sites are detected.

The complete report is available here.