TrojanSpy:Win32/Banker.ACM

TrojanSpy:Win32/Banker.ACM is a trojan that captures user-entered data for certain targeted websites and sends the collected information to specific email addresses for collection by an attacker. The list of sites targeted include numerous online banking sites.

Installation

TrojanSpy:Win32/Banker.ACM is installed by other malware such as TrojanDownloader:Win32/VB.TL and may be present as a file named "leprechaun.exe" in the Windows system folder. The registry is modified to run the trojan at each Windows start.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Leprechaun"
With data: "%windir%\System32\leprechaun.exe"

Payload

Terminates processes/deletes files
TrojanSpy:Win32/Banker.ACM attempts to terminate numerous processes related to online banking security applications SCPad and GbPlugin, and deletes the associated files:

• Scopus Tecnologia SCPad
  
  c:\Program Files\Scpad\scpIBCfg.bin
  c:\Program Files\Scpad\scpLIB.dll
  c:\Program Files\Scpad\scpLg.bin
  c:\Program Files\Scpad\scpMIB.dll
  c:\Program Files\Scpad\scpVista.exe
  c:\Program Files\Scpad\scpsssh2.dll
  c:\Program Files\Scpad\sshib.dll
  c:\arquivos de programas\Scpad\scpIBCfg.bin
  c:\arquivos de programas\scpad\scpLIB.dll
  c:\arquivos de programas\scpad\scpLg.bin
  c:\arquivos de programas\scpad\scpMIB.dll
  c:\arquivos de programas\scpad\scpsssh2.dll
  c:\arquivos de programas\scpad\sshib.dll
  
  
• GbPlugin
  
  C:\Program Files\GbPlugin\gbieh.dll
  C:\Program Files\GbPlugin\gbiehabn.dll
  C:\Program Files\GbPlugin\gbiehcef.dll
  C:\Arquivos de Programas\GbPlugin\gbieh.dll
  C:\Arquivos de Programas\GbPlugin\gbiehabn.dll
  C:\Arquivos de Programas\GbPlugin\gbiehcef.dll

Steals logon credentials
TrojanSpy:Win32/Banker.ACM monitors user input for the following URLs:

http://acesso.uol.com.br/login.html
http://banknetpower.net/
http://203.76.102.165/
http://authmail.ibest.com.br/Autenticacao/autenticacao
http://authmail.ig.com.br/Autenticacao/autenticacao
http://comecodosbancos.de.abudabi
http://secure.bancofederal.com/
http://webmail.globo.com/LoginWebmail/autenticarUsuario.ssp
http://www.allfundsbank.com/
http://www.asobancos.org.ec/
http://www.bancobva.com.br/
http://www.bancomer.com.mx/
http://www.bancopaulista.com.br/PaulistaHB/Default.asp
http://www.bbva.com.uy/
http://www.bep.com.br/
http://www.besinvestimento.com.br/Default.aspx
http://www.finab-icms.com/
http://www.fininvest.com.br/hom/index.asp
http://www.interbanco.com.py/
http://www.itauprivatebank.com.br/
http://www.mclass.com.br/scripts/mclass.dll/
http://www.previ.com.br/
http://www.santander.cl/
http://www.spc.com.br/si/servlet/hlogin
http://www2.paranabanco.com.br/
https://200.75.129.249/
https://4rblarl.secure.fundsxpress.com/
https://adcbactive.com
https://adibonline.adib.ae/
https://ar.dineromail.com/login
https://bancae.bancoetcheverria.es/
https://bancaelectronica.bancoldex.com
https://bancainternet.bancocredicoop.coop/
https://bancaprivada.bnpparibas.es/
https://bancosdaespanhacomecaaqui
https://banking.mashreqbank.com/
https://bankline.itau.com.br/
https://banklineplus.itau.com.br/
https://banklineplus.itau.com.br/GRIPNET/bklcom.dll
https://bankoanet.com/
https://bcadirecto.bca.cv/
https://bcadirectoempresas.bca.cv/
https://bcaixanet-empresas.bancocaixageral.es/
https://bcaixanet-particulares.bancocaixageral.es/
https://be.bancogallego.es/
https://besnet.bes.es/
https://binanet.bi.cv/
https://binanet.bi.cv/Login.asp
https://binanetempresas.bi.cv/
https://binanetempresas.bi.cv/Login.asp
https://bod.bodmillenium.com
https://bod.bodmillenium.com/
https://bod.bodmillenium.com:
https://boveda.banamex.com.mx/
https://br.credit-suisse.com/
https://br.dineromail.com/login
https://caixanetempresas.caixa.cv/
https://caixanetparticulares.caixa.cv/
https://caixanetparticulares.caixa.cv/Login.asp
https://caonline.credito-agricola.pt/
https://cardsonline-commercial.com/
https://carrinho.americanas.com.br/
https://carrinho.shoptime.com.br/
https://cart.carrefour.com.br/
https://cash1.bbvacash.com/
https://cashbg.bankguay.com/
https://cbionline.cbi.ae/
https://chaseonline.chase.com/online/AgentFCCServlet
https://checkout.dineromail.com/
https://citidirect-eb.citicorp.com/
https://cl.dineromail.com/login
https://conexao.fininvest.com.br/
https://conexion.bital.com.mx/
https://consulta.equifax.com.br/menu.asp
https://corporate.bpn.pt/
https://db-direct.db.com/
https://db-direct.deutsche-bank.es/
https://e-bdv.banvenez.com/
https://e-bdvcp.banvenez.com/
https://e-bdvcpx.banvenez.com/
https://e.private.fortisbank.com/
https://ebanking.caledonian.com/
https://empresas.gruposantander.es/
https://enlace.santander-serfin.com/
https://enlinea.bancocajasocial.com.co/
https://es.services.credit-suisse.com/
https://extranet.banesto.es/
https://financiero.banobras.gob.mx/
https://hb.bbv.com.ar/
https://hb.hipotecario.com.ar/
https://hb.redlink.com.ar/
https://homebanking.bpn.pt/
https://homebanking.redlink.com.ar/
https://ib.bankmandiri.co.id/
https://ibank.standardchartered.com
https://ibankbiz.caymannational.com/
https://ibankbiz.caymannational.com/ceb/cebcw/controller.jpf
https://ibankbiz.caymannational.com/reb/rebcw/controller.jpf
https://ibk.banparanet.com.br/
https://ibpf.unibanco.com.br/
https://icard.caymannational.com/
https://ihb1.itau.com.ar/
https://internetbanking.caixa.gov.br/
https://internetbanking.firstcaribbeanbank.com/
https://internetbanking.ibgtci.com/
https://internetbanking.ibgtci.com/reb/rebcw/controller.jpf
https://inverweb1.scotiabankinverlat.com/
https://itaubankline.itau.com.br/
https://linea.davivienda.com/
https://login.banknetpower.net/
https://login.live.com/ppsecure/post.srf?
https://login.smartbusiness.ae/
https://login.yahoo.com/config/login?
https://meine.deutsche-bank.de/
https://mx.dineromail.com/login
https://nbqonline.ae/
https://nbxi.banorte.com/
https://nel.bnb.gov.br/
https://netbank.natbankoman.com/
https://netbanking.brp.com.br/
https://online.citibank.com/
https://online.dib.ae/
https://online.fgb.ae/
https://online.nbad.com/
https://onlinebanking.dohabank.ae/
https://opfin.bancomext.gob.mx/
https://opfinan.bancomext.gob.mx/
https://pago.mercadopago.com/
https://pagoelectronico.banesco.com/
https://particulares.banif.es/
https://pasarela.carrefour.es/
https://portal.bbk.es/
https://portal.credicardciti.com.br/
https://portal.multiplusfidelidade.com.br/
https://priv.activobank7.pt/
https://republiconline.republictt.com/
https://retail.nbbonline.com/
https://secure.bancofederal.com/
https://secure1.bb.com.mx/
https://secure1.vontobel.com/
https://segura.besc.com.br/
https://servicos.fininvest.com.br/
https://servicos.spc.org.br/pls/
https://servicos.spc.org.br/pls/spc9765/spcindex.html
https://servicos.spc.org.br/spc/controleacesso/autenticacao/authenticate.action
https://servicos.spc.org.br/spc/controleacesso/autenticacao/passphrase.action
https://sitenet.serasa.com.br/Logon/Logon
https://smail-mia.terra.com.br/atmail.php?ret
https://smail.terra.com.br/atmail.php?ret
https://smu.jpmorgan.com/siteminderagent/forms/smu/gcp/login.fcc?
https://sna1.coomeva.com.co/
https://start.telebank.co.il/
https://stone.banrural.gob.mx/
https://supernet.bancosantander.com.co/
https://supernet.santander.com.uy/
https://telemarch.bancamarch.es/
https://ve1.provinet.net/
https://vol.venezolano.com/
https://w3.grupobbva.com/
https://wealth.goldman.com/login/login_b.cgi
https://web.bancodebogota.com.co/
https://webid2.gs.com/
https://webssoprod.bancomext.gob.mx/
https://ww3.deutsche-bank.es/
https://ww3.ebanregio.com/
https://www.abnamro
https://www.abnnetbanking.abnamro.com/
https://www.altae.es/
https://www.aqui_comeca_os_cartoes_de_creditos.blz.com/
https://www.arabi-online.net/
https://www.argentina.citibank.com/
https://www.avvillas.com.co/
https://www.bancavirtual.bankguay.com/
https://www.banco.colpatria.com.co/
https://www.bancoamambay.com.py/
https://www.bancoamazonas.com/
https://www.bancoazteca.com.mx/
https://www.bancochile.cl/
https://www.bancodebogota.com/
https://www.bancodecredito.com.bo/
https://www.bancodeoccidente.com.co/
https://www.bancoestado.cl/
https://www.bancogmac.com.br/
https://www.bancoinvest.pt/
https://www.bancomachala.com/
https://www.bancomadrid.com/
https://www.bancomediolanum.es/
https://www.bancomer.com.mx/
https://www.bancoplaza.com/
https://www.bancopopular-e.com/
https://www.bancopopular.com.co/
https://www.bancoprivado.com.ar/
https://www.bancoregional.com.py/
https://www.bancounion.com.bo/
https://www.bancourquijo.com/
https://www.baneco.com.bo/
https://www.banesconline.com/
https://www.banifservicos.com.br/
https://www.bank.rbsbank.ae/
https://www.bankinter.com/
https://www.bankline.coutts.com/
https://www.bankofsharjah.ae/
https://www.bankpymenet.com/
https://www.bansi.com.mx/
https://www.barclays.es/
https://www.barclays.pt/
https://www.bbmnetbanking.com.br/evhtml.cgi?FrmNumConta
https://www.bbva.com.py/
https://www.bbva.es/
https://www.bbvanet.cl/
https://www.bbvanet.com.co/
https://www.bcointernacional.com/
https://www.bcointernacional1.com/
https://www.bigonline.pt/
https://www.bmsc.com.bo/
https://www.bnpparibasfortis.be/
https://www.bobibanking.com/
https://www.bpinet.pt/
https://www.bsa.cl/
https://www.bsmarkets.com/
https://www.butterfieldonline.ky/
https://www.caixacatalunya.com/
https://www.caixatarragona.es/
https://www.canales.brou.com.uy/
https://www.carrefouronline.carrefour.es/
https://www.cartaobndes.gov.br/
https://www.cbd.ae/
https://www.cbdfs.ae/
https://www.cbdibusiness.ae/
https://www.ccfacil.com.br/Login.asp?
https://www.cecoban.org.mx:9443/
https://www.cibconline.cibc.com/
https://www.courtesyofcoutts.com/
https://www.e-pueyo.com/
https://www.ebgempresa.es/
https://www.edivan.com.br/
https://www.emp.santanderrio.com.ar/
https://www.empresas.hsbc.com.ar/
https://www.empresas.santandertotta.pt/
https://www.extra.com.br/
https://www.febraban.org.br/
https://www.fidelityonline.bs/
https://www.fs.ml.com/login/Login.asp?site=MLOL
https://www.google.com/accounts/ServiceLoginAuth
https://www.grupohelm.com/
https://www.gruposantander.es/
https://www.hblibank.com/
https://www.homecem.com/
https://www.hsbc.ae/
https://www.hsbc.com.co/
https://www.hsbc.com.mx/
https://www.hsbc.ky/
https://www.indusval.com.br/tbib/ib_MICROSOFT.php
https://www.intermatico.com/
https://www.intlmlol.ml.com/logon/logon.exe
https://www.inversis.com/
https://www.investbank.ae/
https://www.latinamerica.citibank.com/
https://www.latinamerica.citibank.com/BRGCB/JSO/signon/ProcessUsernameSignon.do
https://www.latinamerica.citibank.com/BRGCB/LATAM/common/AccountInfo.do
https://www.latinamerica.citibank.com/BRGCB/jba/mp6/SubmitRecap.do
https://www.magazineluiza.com.br/Seguro/caixa/ins_caixa.asp
https://www.millenniumbcp.pt/
https://www.moneybookers.com/
https://www.mutualistapichincha.com/
https://www.online-banking
https://www.online-banking.standardchartered
https://www.opportunity.com.br/
https://www.paodeacucar.com.br/
https://www.particulares.santandertotta.pt/
https://www.paypal.com/ar/
https://www.paypal.com/br/
https://www.paypal.com/es/
https://www.paypal.com/fr/
https://www.paypal.com/pt/
https://www.paypal.com/ve/
https://www.pcbanking2g.hsbc.com.ar/
https://www.personalbanking.barclays.ae/
https://www.personas.santanderrio.com.ar
https://www.pontofrio.com.br/cgi-bin/loja_segura.pl
https://www.production.citibank.es
https://www.prospertrade.com.br/acesso_cliente.asp
https://www.ruralvia.com/
https://www.sabadellatlantico.com/
https://www.sama.natbankoman.com/
https://www.santander.com.mx/
https://www.santandernet.com.br/
https://www.santandernet.com.br/EfetuarLogin_Intermediaria_New.asp
https://www.scotiabank.cl/
https://www.scotiaonline.scotiabank.com/
https://www.scotiaweb.com.mx/
https://www.secure.bancoregional.com.py/
https://www.secure.interbanco.com.py/
https://www.sibonline.ae
https://www.tam.com.br/
https://www.tribancoonline.com.br/
https://www.uabbank.com/
https://www.ubl.com.pk/
https://www.unb.com/
https://www.westlbmarkets.net/
https://www.your-ebank.com/
https://www.zonacliente.cetelem.es/
https://www2.440strand.com/
https://www2.abcbrasil.com.br/
https://www2.bancoamazonas.com/
https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
https://www2.bancoexterior.com/
https://www2.bancopopular.es/
https://www2.bancopopular.pt/
https://www2.bnpparibas.com.br/
https://www2.bolivariano.com/
https://www2.extra.com.br/
https://www2.infoseg.gov.br/
https://www2.rural.com.br/
https://www2.submarino.com.br/Payment.aspx
https://www3.bgr.com.ec/
https://www3.bolivariano.com/
https://www30.todo1.com/
https://wwws.alfanet.com.br/
https://wwws.bancoamazonia.com.br/
https://wwws.banese.com.br/
https://wwws.banestes.com.br/
https://wwws.gravames.com.br/gravames/
https://wwws.nossacaixa.com.br/CarregarConta.asp
https://wwws.nossacaixa.com.br/bemvindo.asp
https://wwws2.hsbc.ae/
https://wwws2.hsbc.com.br/
https://wwws3.hsbc.ae/
https://wwws3.hsbc.com.br/
https://wwws5.hsbc.ae/
https://wwws5.hsbc.com.br/

The trojan sends captured data to the following recipients:

• emaildasorte2012@oi.com.br
• emaildasorte2011@gmail.com
• n3rv0s0001@gmail.com

The trojan uses the following UOL email accounts to send the email containing the captured data:

• cibelebo@uol.com.br
• debora.nunes23@uol.com.br
• ilma.souza01@uol.com.br
• iranminerthal@uol.com.br
• irineu.bayer@uol.com.br
• jvosti@uol.com.br
• lucianogomes.45@uol.com.br
• lucienephadm@uol.com.br
• margo.rodrigues@uol.com.br
• marizaabr@uol.com.br
• oantunesoliveira@uol.com.br
• anapaulaffcunha@uol.com.br
• cibelebo@uol.com.br
• eleuterio.junior@uol.com.br
• marizaabr@uol.com.br

Analysis by Alden Pornasdoro