Trojan:Win32/Scar.O is a trojan that redirects web browser navigation away from certain online financial websites to another IP address. The destination server and page could host an imitation logon screen for the purpose of capturing user-entered credentials.
Installation
When run, Trojan:Win32/Scar.O drops a copy of the trojan as the following:
-
%ProgramFiles%\Common Files\twunk.exe
The registry is modified to run the trojan copy at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "twunk"
To data: "%ProgramFiles%\Common Files\twunk.exe"
Payload
Sends data to a remote server
The trojan writes machine-specific information about the affected computer to a log file as the following:
-
%ProgramFiles%\Common Files\1
The log file contains the following formatted information:
------- Controle -----
.::.INFECT.::.
------- Controle -----
Computador....: <Machine Name>
MAC....: <Mac address>
Versao do Win....: <Windows Version>
--------------------------------------------
Data....: <Today's date>
Hora....: <Current time>
--------------------------------------------
Monitor....: <Screen resolution>
--------------------------------------------
The trojan sends the content of this file to a remote site "viva.is" using a server-side PHP script named "build.php".
Redirects web browser navigation
Trojan:Win32/Scar.O attempts to download a file "help.txt" from the site "byggja.is". The file is then saved locally to replace the DNS resolution system file "%windir%\System32\drivers\etc\hosts". The new "hosts" file is configured to redirect navigation to the following web sites to a specified IP address:
santander.com.br
www.santander.com.br
real.com.br
www.real.com.br
bancoreal.com.br
www.bancoreal.com.br
itau.com.br
www.itau.com.br
cef.com.br
www.cef.com.br
caixa.com.br
www.caixa.com.br
caixa.gov.br
www.caixa.gov.br
bb.com.br
www.bb.com.br
bancobrasil.com.br
www.bancobrasil.com.br
bancodobrasil.com.br
www.bancodobrasil.com.br
bradesco.com.br
www.bradesco.com.br
www.visa.com.br
visa.com.br
mastercard.com
www.mastercard.com
serasa.com.br
www.serasa.com.br
hotmail.com
www.hotmail.com
citibank.com.br
www.citibank.com.br
bancoamazonia.com.br
www.bancoamazonia.com.br
tibia.com
www.tibia.com
paypal.com
www.paypal.com
In the wild, the "hosts" file contained one of the following IP addresses:
The destination IP address could host a web page that imitates a logon screen for the purpose of capturing user-entered credentials.
Analysis by Shali Hsieh
