Threat behavior
TrojanSpy:Win32/Banker.WE is a Trojan bank password stealer targeting online banking customers of a Brazilian bank.
Installation
TrojanSpy:Win32/Banker.WE usually arrives in a system as a downloaded file of variants of TrojanDownloader:Win32/Banload. Once it is executed, it may drop a copy of itself in the following folder:
%windir%\media\hpmedia.exe
It modifies the system registry to enable it to run at every Windows start:
Adds value: "DrvStart"
With data: "%windir%\media\hpmedia.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Modifies Internet Settings
TrojanSpy:Win32/Banker.WE changes the system's Internet settings to bypass the network proxy:
Adds value: "ProxyBypass"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Steals Sensitive Data
TrojanSpy:Win32/Banker.WE logs credentials and gathers sensitive information when a user visit sites with the following strings in the browser title bar or URL:
- INTERNETBANKINGCAIXA
- internetbanking.caixa.gov.br/SIIBC/index
All gathered information is sent back to a remote attacker via e-mail.
Downloads and Installs Arbitrary Files
TrojanSpy:Win32/Banker.WE downloads programs or files from the following websites:
- upd118-10.tripod.com
- poieni.ro
- edex367-10.freetzi.com
Note that the downloaded files may be configured to point to malware at any time.
Analysis by Francis Allan Tan Seng
Prevention
