Threat behavior
TrojanSpy:Win32/Bancos.TL is a trojan that modifies a compromised system in order to use an attacker specified proxy for particular Internet banking sites.
Installation
When executed, the malware copies itself to %windir%\services.exe and creates the following registry entry to ensure execution at each Windows start:
Adds value: "Spooler de Impressão"
With data: "%windir%\services.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Attempts to steal online banking credentials
The malware modifies web browser settings on the infected machine by modifying the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
This prompts the browser to obtain a remote configuration file from the following domain:
baguncanet.com
The configuration file alters the affected user's browser setting so that any of the following domains use a specific proxy server:
http://www.bradesco.com.br
http://bradesco.com.br
http://www.itau.com.br
http://itau.com.br
http://www.real.com.br
http://real.com.br
http://www.bancoreal.com.br
http://bancoreal.com.br
http://www.bancodobrasil.com.br
http://bancodobrasil.com.br
http://bb.com.br
http://www.bb.com.br
http://www.sicredi.com.br
http://sicredi.com.br
http://www.caixa.gov.br
http://caixa.com.br
http://banrisul.com.br
http://www.banrisul.com.br
http://www.citibank.com.br
http://www.santander.com.b
http://santender.com.br
http://internetbanking.caixa.gov.br
This then redirects banking related web traffic to a proxy that is controlled by a remote attacker.
Analysis by Ray Roberts
Prevention
