Trojan targeted users living in Brazil alone

Dec 10, 2015 22:02 GMT  ·  By

Google's Cloud platform was used by a cyber-crime gang to host and spread a banking trojan, targeting Portuguese-speaking users in Brazil.

The campaign was active for some time, before being detected by Zscaler's security team, managing to reach over 100,000 users.

According to Zscaler's analysis, the operation relied on classic social engineering tricks, aimed at tricking users into clicking a malicious bit.ly link.

Offering fake coupons, free apps, but delivering banking trojans

To fool users into accessing these links, the attackers were offering free coupons, vouchers, and free versions of software like Avast and WhatsApp.

If users accessed the link, a download would start, usually a .COM or .EXE file hosted on Google Cloud. If this file was launched into execution, it would install a payload downloader. In security lingo, a payload downloader is a computer virus that is specialized in downloading and installing other more potent viruses.

This particular downloader would eventually install the Telax banking trojan. Zscaler researchers analyzed this trojan (at version 4.7) and observed it only targeted clients of Brazilian banks.

The trojan was extremely complex, had a modular structure, used a C&C server to exfiltrate stolen data, worked with 32 and 64-bit architectures, would check for the presence of reverse engineering environments, and came with tools to capture and bypass two-factor authentication mechanisms.

Over 100,000 users accessed the malicious bit.ly link

Zscaler was able to obtain statistics about the bit.ly URL used in the campaign, and found out that 99% of the users that accessed it came from Brazil. This shows the group had a well-thought plan for distributing the trojan to its victims and was very efficient at it.

The campaign was active between October 19 and October 30, 2015, when it was abruptly stopped by Google taking down the malicious files hosted on its service.

As for the source of the traffic, 99% came from Facebook, but a few thousand links also came from some self-standing domains. Multiple of these domains were registered under the same name, Kleyb Maxbell from Emas (Brazilian city).

bit.ly link statistics
bit.ly link statistics

Photo Gallery (2 Images)

Google Cloud abused by cyber-crooks
bit.ly link statistics
Open gallery