Banking Trojan Targets US and Mexico Using App Libraries

Discussion in 'malware problems & news' started by ronjor, May 6, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    http://www.infosecurity-magazine.com/news/banking-trojan-targets-us-and/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Another example of using .Net to employ legit apps in a malicious way; in this instance Fiddler and JSON.

    Things that caught by eye from the detailed Zscaler analysis are:

    Once executed, the installer will attempt to download the following three components on the victim's machine:

    •syswow.exe - This is the main Infostealer payload that steals the banking credentials
    •FiddlerCore3dot5.dll - Fiddler Proxy Engine for .NET applications. This is a legitimate .NET Class library file that the malware authors are using in the main Infostealer functionality
    •Newtonsoft.Json.dll - Open source JSON framework for .NET applications. This is a legitimate .NET Class library file that the malware authors are using for parsing Command & Control (C&C) server response data and converting it into XML format

    The above files are downloaded in the windows system directory

    For other versions of Windows(non-XP), the malware will not create an autostart registry key. However, in order for the Fiddler proxy engine to work properly the malware will install a Fiddler generated root certificate before starting the proxy engine.

    Hence the need to monitor file creation in the Windows system directories and protect root CA certificate registry keys.

     
    Last edited: May 6, 2016
Loading...