We want to warn you of a Banker Trojan that is using the news of the miners trapped in Chile to be distributed and infect users. It has been detected as Banbra.GUC.
The malicious file reaches the computer with the following icon:
When this file is run, the Internet Explorer browser is opened showing a Youtube video of a news channel about the rescue of the Chilean miners trapped in a mine several days ago.
The following images belong to the video displayed by the Trojan:
But, all this is nothing but a distraction maneuver.
While we are watching the video, the Trojan is installed in the computer, creates a copy of itself and a Windows Registry entry to be automatically run when the computer is started.
In the following restart, it connects to an FTP Server, from which it downloads several executable files which are saved to the computer.
These files contain false websites which copy the format and content of the original websites belonging to the affected services, like several Brazilian banks, Hotmail and the social network Orkut.
The affected Brazilian banks, among others, are:
Banco do Brasil
Banco Real
Banco Santander Brasil
Bradesco
Caixa Brasil
Itaú
Unibanco
The main file monitors the network traffic and when it detects that the user types any of the affected websites in the address bar, it coses the file that contains the false website of the affected service.
Then, it closes the Internet Explorer browser and activates the corresponding executable. This file will display a website that imitates the original one, but in which any of the links and sections will not work, except for the sections belonging to forms, in order to steal banking information, passwords, email addresses, etc.
Once we have filled in the corresponding fields, the false website will be closed and the original one will be opened.
All the gathered information will be stored in several files, which will be saved to the computer and will be then sent via email to its creator.
This Trojan can be distributed via email messages or links published in social networks, so you should be very cautious in this type of situations.
If you want to get more information about this Trojan, you can check it out in the malware encyclopedia:
https://www.pandasecurity.com/homeusers/security-info/223079/Banbra.GUC
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
3 comments
no file type, no URL, no IP addresses? The information you provided in this blog entry is not very useful. Perhaps you could update it?
Olaiz is publishing the information in the Encyclopedia and once it’s done she will update the blog post with a link to it.