TrojanSpy:Win32/Bancos.AAN is a member of Win32/Bancos - a family of data-stealing trojans that captures online banking credentials, such as account login names and passwords, and relays the captured information to a remote attacker.
Most Win32/Bancos variants target customers of Brazilian banks, though some variants target customers of banks in other locations.
This variant has also been observed stealing email credentials and removing security software applications that are present on the infected computer.
Installation
TrojanSpy:Win32/Bancos.AAN is distributed disguised as a media file or application, having a file name similar to the following:
Upon execution it drops a copy of itself as CTMON.EXE in the %AppData% directory.
Note: %AppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the AppData folder for Windows 2000 and NT is C:\Documents and Settings\<user>\Application Data; and for XP, Vista, and 7 is C:\Users\<user>\AppData\Roaming.
The malware drops the following files:
- %root%\TITI.EXE - used for stealth operation, hiding the malware process and other component files
- %root%\kill.txt - list of directories to delete; these directories belong to security software applications that may detect the presence of the malware
- <system folder>\drivers\TRS.SYS - used for patching webpages in order to place web forms on top of original ones; this behavior may be used in intercepting a user's online banking credentials
Note: %root% refers to the location c:\, and <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
TrojanSpy:Win32/Bancos.AAN modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "%appdata%\ctmon.exe"
The malware disables the LUA (Least Privileged User Account), also known as the “administrator in Admin Approval Mode” user type, by making the following registry modification:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
TrojanSpy:Win32/Bancos.AAN may also register its rootkit component as a service named "pelodlo" in order to execute on system start, by making the following changes to the registry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\pelodlo
Sets value: "ImagePath"
With data: "%system%\drivers\trs.sys"
Payload
Steals online banking and email credentials
This trojan targets user password and digital pins used on the following banking websites:
- Banco Bradesco
- HSBC Bank Brasil
- Banco Santander
TrojanSpy:Win32/Bancos.AAN uses scare tactics in an attempt to force users into logging in to their online bank account; it does so by displaying messages such as the following:
Portuguese:
Prezado Cliente, no momento estamos em manutenção. Para sua segurança, acesse nosso site dentro de algumas horas.
English:
Dear Customer, we are currently under maintenance. For your safety, visit our website within hours.
Portuguese:
Para sua segurança e comodidade, seu Cartão Chave de Segurança Bradesco foi desativado por excesso de tentativas invalidas.
English:
For your safety and convenience, your Security Key Card Bradesco was deactivated for excess invalid attempts.
It also targets email credentials such as Windows Live ID.
Contacts remote hosts
The trojan also connects to its remote web server in order to send information it has intercepted, and check for updates.
It may contact the following websites in order to do this:
- hxxp://www. sabrinaclick.<BLOCKED> com.br/ enviador.phps
- hxxp://www. olvpls<BLOCKED> .be/ images/ edit_32_3.php
The following information regarding system activity is logged and sent to the remote server:
- Machine name
- MAC address (Media Access Control address)
- Opening date - the date the user opend/addessed online banking
- Opening time - the time the user opend/addessed online banking
- Bank name
Deletes security software
TrojanSpy:Win32/Bancos.AAN attempts to delete the a list of directories used by software security applications found in the %Program Files% directory, for example, we have observed the malware deleting the following folders:
- Alwil Software
- AVG
- Avira
- ESET
- Grisoft
- KASPER~1
- NORTON~1
- Panda Security
- Softwin
Analysis by Zarestel Ferrer