Threat behavior
TrojanSpy:Win32/Banker.QO is a password stealing trojan that attempts to mimic a certain online banking logon dialogue to capture logon credentials.
Installation
This trojan may be installed by other malware as a file named "update_BBVA.exe". When the trojan runs, it displays an imitation logon screen for an online bank BBVA of Brazil as in the following example:
Â
Payload
Captures logon credentials
After a user enters a 7 digit account number and associated password, the trojan displays a new form window requesting a 3 digit security code.
Â
Â
After entering the security code, the trojan displays a dialogue message that suggests the user re-establish an Internet connection to the bank.
Â
Â
Â
The trojan has by then captured the logon credentials. TrojanSpy:Win32/Banker.QO then obtains other information such as the following:
Â
- Windows OS version
- user name and password
- MAC address
Â
The collected information is sent to a remote attacker with the email address "jheysonf@yahoo.com.br" via SMTP.
Â
Analysis by Marianne Mallen
Prevention
