Installation
The threat drops a copy of itself into the %APPDATA% using an eight-character file name made up of random letters and numbers.
It makes itself run each time you start your PC by adding a reference to the dropped file in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
It also creates the registry key HKCU\Software\SNYASVD5208.
The threat searches for the following processes and injects a DLL component into them:
- chrome.exe - Chrome web browser
- explore.exe - Windows file explorer
- firefox.exe - Firefox web browser
- iexplore.exe - Internet Explorer web browser
Payload
Steals banking-related information
The threat tries to steal information about transactions you make using the Boleto payment system. It intercepts Boletos that are received by you and then changes them to steal the payments you try to make on that Boleto.
It looks for websites that use the following keywords:
It avoid avoids website URLs that contain the following:
- .bmp
- .flv
- .gif
- .jpg
- .jpeg
- .png
- .swf
- facebook.com
- hotmail.com
- live.com
If an intercepted message contains the URL string facebookxxx.com/ajax/mercury/send_messages.php, the threat tries to send a message to the group in the string.
Note: This website is not related to facebook.com and is currently down.
Steals login details
The threat tries to steal your login details, such as your username and password from https://login.live.com/ if you visit it while you're PC is infected.
It also tries to steal login details from Facebook and Hotmail.
Sends information to a remote server
Along with stealing your login details, the threat also steals information about your version of Windows and what Internet browser you use.
The threat connects to the following IPs to send the information it has collected:
- 205.234.130.208
- 216.246.91.224
It access the following pages:
Changes security files
The threat changes the following files (in memory) to avoid detection:
- gbieh.dll
- gbiehabn.dll
- gbiehcef.dll
- gbiehscd.dll
- gbiehuni.dll
- gbpdist.dll
These files might be used by banking software, such as that belonging to Banco Bradesco and Caixa Economica Federal banks.
Additional information
Hooks APIs
The threat hooks the following APIs to inject code, which it uses for monitoring what your are doing on the Internet:
- kernel32.dll - CreateProcessAsUserW
- kernel32.dll - CreateProcessW
- kernel32.dll - GetSystemTimeAsFileTime
- nspr4.dll - PR_Close
- nspr4.dll - PR_OpenTCPSocket
- nspr4.dll - PR_Read
- nspr4.dll - PR_Write
- wininet.dll - HttpSendRequestA
- wininet.dll - HttpSendRequestW
- wininet.dll - InternetCloseHandle
- wininet.dll - InternetQueryDataAvailable
- wininet.dll - InternetReadFile
- wininet.dll - InternetReadFileExA
- wininet.dll - InternetWriteFile
It creates a mutex which could be an infection marker to prevent more than one copy of the threat running on your PC. We have seen it use the names RasPbFilezSh and DynGateInstanceMutexS for the mutex.
Analysis by Zarestel Ferrer