TrojanDropper:Win32/ChroBancos.A is a trojan that drops Javascript malware posing as a Firefox plugin. The malicious Javascript is detected as
TrojanSpy:JS/Chrome.A and steals user information pertaining to certain banking websites.
Installation
Upon execution, TrojanDropper:Win32/ChroBancos.A checks to see if Firefox is installed in the system. It does this by checking for the presence of the following registry keys:
HKLM\SOFTWARE\Mozilla
HKCU\SOFTWARE\Mozilla
HKCU\Software\Classes\FirefoxHTML\shell\open\command
HKCR\FirefoxHTML\shell\open\command
HKCR\Applications\FIREFOX.EXE\shell\open\command
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
It then checks for the Firefox installation folder by querying the following key:
HKLM\SOFTWARE\Mozilla\Mozilla Firefox\3.0.5 (en-US)\Main\Install
It drops the following files in the system:
It also modifies the file "%Program Files\Mozilla Firefox\chrome\browser.manifest" to enable Firefox to load its malicious component as a plugin by appending the following text:
content greasemonkey-browser-overlay chrome/content/
overlay chrome://browser/content/browser.xul chrome://greasemonkey-browser-overlay/content/browser.xul
It also creates the following folders and files, if they don't exist:
- %Program Files%\Mozilla Firefox\chrome\chrome\content\browser.js - detected as TrojanSpy:JS/Chrome.A
- %Program Files%\Mozilla Firefox\chrome\chrome\content\browser.xul
The file "browser.xul" loads the malicious Javacript when Firefox is opened, and contains the following:
<?xml version="1.0"?>
<!DOCTYPE overlay SYSTEM "chrome://greasemonkey/locale/greasemonkey.dtd">
...
<overlay id="greasemonkey-browser-overlay" xmlns:xd='http://schemas.microsoft.com/office/infopath/2003' xmlns="
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
">
<script type="application/x-javascript" src="chrome://greasemonkey-browser-overlay/content/browser.js" />
</overlay>
Payload
Drops Other Malware
As indicated in the above section, TrojanDropper:Win32/ChroBancos.A drops the following malware in the system:
Steals Information
When Firefox is opened or accessed, JS/Chrome.A loads Win32/ChroBancos.A!dll into Firefox.
Win32/ChroBancos.A!dll then monitors the following bank-related URLs:
53.com
abbeynational.co.uk
adelaidebank.com.au
akbank.com
anbusiness.com
anbusiness.com
anz.com
areasegura.banif.es
arquia.es
banca.cajaen.es
bancaeuro.it
bancagenerali.it
bancaintesa.it
bancajaproximaempresas.com
bancamarch.es
bancamediolanum.it
bancogallego.es
bancoherrero.com
bancopastor.es
bancopopular.es
banesto.es
banking..de
banking.first-direct.com
bankoa.es
bankofamerica
banksa.com
banquepopulaire.fr
barclays.com
bbvanetoffice.com
bcp.it
bgnetplus.com
boq.com.au
bv-i.bancodevalencia.es
caixa.es
caixamanlleu.es
caixasabadell.net
caja.es
carifvg.com
cariparma.it
cariparo.it
carisbo.it
carnet.cajarioja.es
caterallenonline.co.uk
ccm.es
chase.com
citizensbankonline.com
clavenet.net
co-operativebank.co.uk
co-operativebankonline.co.uk
credem.it
csebanking.it
e-gold.com
elmonte.es
fibancmediolanum.es
fineco.it
fmbcc.bcc.it
gbw2.it
gruposantander.es
gruppocarige.it/grps/vbank/jsp/login.jsp
halifax-online.co.uk
hsbc.co
ibank.cahoot.com
ibercajadirecto.com
in-biz.it
intelvia.cajamurcia.es
isideonline.it
islamic-bank.com
itibank.co.uk
iwbank.it
kfhonline.com
lloydstsb.co.uk
my.if.com
mybankoffshore.alil.co.im
mybusinessbank.co.uk
nationet.com
natwestibanking.com
net.kutxa.net
online.co.uk
online.hbs.net.au
onlinebanking.nationalcity.com
openbank.es
paypal.com
pncs.com.au
popso.it
poste.it
procreditbank.bg
quiubi.it
sabadellatlantico.com
schwab.com
secservizi.it
smile.co.uk
suncorpmetway.com.au
suntrust.com
tdcanadatrust.com
unibanking.it
unipolbanca.it
uno-e.com
usbank.com
wachovia.com
wamu.com
wellsfargo.com
westpac.com.au
www.qccu.com.au
If a user visits any of the monitored websites, Win32/ChroBancos.A!dll monitor's the user's keystrokes and sends back the user's input, likely passwords and account numbers, to a remote attacker via certain sites, such as "yandeeex.ru" or "sss.re".
Analysis by Huzefa Mogri