Threat behavior
TrojanSpy:JS/Chrome.A is a Javascript trojan that is dropped by malware posing as a Firefox plugin. It steals user information pertaining to certain banking websites.
Installation
The file "browser.xul" loads the malicious Javacript when Firefox is opened, and contains the following:
<?xml version="1.0"?>
<!DOCTYPE overlay SYSTEM "chrome://greasemonkey/locale/greasemonkey.dtd">
...
<overlay id="greasemonkey-browser-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/x-javascript" src="chrome://greasemonkey-browser-overlay/content/browser.js" />
</overlay>
Payload
Steals Information
Win32/ChroBancos.A!dll then monitors the following bank-related URLs:
53.com
abbeynational.co.uk
adelaidebank.com.au
akbank.com
anbusiness.com
anbusiness.com
anz.com
areasegura.banif.es
arquia.es
banca.cajaen.es
bancaeuro.it
bancagenerali.it
bancaintesa.it
bancajaproximaempresas.com
bancamarch.es
bancamediolanum.it
bancogallego.es
bancoherrero.com
bancopastor.es
bancopopular.es
banesto.es
banking..de
banking.first-direct.com
bankoa.es
bankofamerica
banksa.com
banquepopulaire.fr
barclays.com
bbvanetoffice.com
bcp.it
bgnetplus.com
boq.com.au
bv-i.bancodevalencia.es
caixa.es
caixamanlleu.es
caixasabadell.net
caja.es
carifvg.com
cariparma.it
cariparo.it
carisbo.it
carnet.cajarioja.es
caterallenonline.co.uk
ccm.es
chase.com
citizensbankonline.com
clavenet.net
co-operativebank.co.uk
co-operativebankonline.co.uk
credem.it
csebanking.it
e-gold.com
elmonte.es
fibancmediolanum.es
fineco.it
fmbcc.bcc.it
gbw2.it
gruposantander.es
gruppocarige.it/grps/vbank/jsp/login.jsp
halifax-online.co.uk
hsbc.co
ibank.cahoot.com
ibercajadirecto.com
in-biz.it
intelvia.cajamurcia.es
isideonline.it
islamic-bank.com
itibank.co.uk
iwbank.it
kfhonline.com
lloydstsb.co.uk
my.if.com
mybankoffshore.alil.co.im
mybusinessbank.co.uk
nationet.com
natwestibanking.com
net.kutxa.net
online.co.uk
online.hbs.net.au
onlinebanking.nationalcity.com
openbank.es
paypal.com
pncs.com.au
popso.it
poste.it
procreditbank.bg
quiubi.it
sabadellatlantico.com
schwab.com
secservizi.it
smile.co.uk
suncorpmetway.com.au
suntrust.com
tdcanadatrust.com
unibanking.it
unipolbanca.it
uno-e.com
usbank.com
wachovia.com
wamu.com
wellsfargo.com
westpac.com.au
www.qccu.com.au
If a user visits any of the monitored websites, Win32/ChroBancos.A!dll monitor's the user's keystrokes and sends back the user's input, likely passwords and account numbers, to a remote attacker via certain sites, such as "yandeeex.ru" or "sss.re".
Analysis by Huzefa Mogri
Prevention
