Researchers uncovered a dangerous new banking Trojan named EmbusteBot which has been made to compromise users of predefined banks.
Embuste Bot Overview
Security researchers uncovered a new banking bot this time coming from Brazil. The country is famous for its large number of hacker collectives that constantly produce new malware. The Embuste Bot is no exception, this is merely the latest banking Trojan which has been identified. It infects computer users by using the widely used practice of loading a dynamic link library (DLL) on a target payload. The next step is to activate the payload in a second stage deployment. Unlike other similar iterations the size of the DLL libraries is rather large – 3.3 MB. This is probably due to the integrated OpenSSL library bundled with the dropper. All of the code is statically linked and compiled which is a strategy often used to encrypt the generated network traffic.
Note: At the time of writing this article the virus has a very low detection ratio. Most anti-virus products have not added it to their definitions lists yet. By using a quality anti-malware solution computer users can protect themselves from all types of malware and can remove active infections with a few mouse clicks. |
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
An interesting characteristic of the analyzed sample is their lack of code packing or encryption of potentially private code paths. According to the researchers the developers of the Embuste Bot have not used anti-debugging techniques. This may mean that they are still inexperienced or that they are trying to make the DLL files appear as legitimate. At the same time the virus engine does encrypt some of the sensitive strings that are related to some of the DLL file components. The experts managed to extract the algorithm that is followed after the initial infection has taken place:
The engine can extract the information of the running browsers and compare it to a predefined list. This means that the virus can find out exactly which browser window is running on the victim’s machine. Upon infection it checks if any of the supported browsers are running or there is an active Java instance. The current builds of the bot are compatible with Google Chrome, Mozilla Firefox and Internet Explorer. During the infection phase the engine gathers information about the infected systems – version of the operating system, hardware components and system configuration settings. The data is sent to remote C&C servers in an encoded form.
The malware compares the window title to a built-in list of target online banking services and applications.
If a matching service is identified the engine creates a counterfeit overlay which aims to trick the users into entering the credentials. The information is relayed to the attackers.
The bot is able to modify the browser sessions and conduct fraudulent transactions from the victim accounts.
To a large extent the virus acts like a browser hijacker to a degree as it is able to extract information about the running browsers. Such a hybrid solution can be a powerful tool in the hands of any hacker collective. The researchers uncovered that some of the target bank services undergo additional checks. This is done to circumvent measures taken by the relevant security team.
Some of the analyzed samples use social engineering tactics which attempt to gain the users trust. It masks its activity by pretending to be a protection module by imitating the Trusteer Rapport logo.
Embuste Bot Distribution
The malware is mainly distributed via email spam campaigns. There are several different types of case scenarios which are employed by hackers worldwide to spread viruses. Usually social engineering is used to increase the infection ratio. The following cases are the most common ones:
Messages With Hyperlinks – The campaigns contain hyperlinks that link to download sites or hacker-controlled sites where the malware resides. Some of them may also point directly to the executable files.
Messages With Direct Attachments – These emails directly attach the malware files to the message. Recently the use of infected documents has become a rising trend. The hackers use documents that appear to be of user interest such as invoices, letters, contracts and etc. Upon interaction with them a notification is presented to the targets that a script needs to be run. It is used to deploy the virus to the victims.
Hybrid Messages – A combination of the above methods.
As always we highly recommend that all users use a quality anti-malware solution to protect themselves from possible intrusion attempts, as well as to remove active infections with a few mouse clicks.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
