A footnote to this attack is that if you are not using something akin to EMET's certificate pinning where you pin your bank's web site URL to its valid root CA store certificate, you should always visually verify that the certificate chain of the bank's web site points to correct root CA store certificate upon access to the bank's web site. You can get the thumbprint of the bank's root CA store certificate here: https://www.grc.com/fingerprints.htm?domain=store.www.href.com . Store the thumbprint and use it to compare it to the one shown for bank's root CA store certificate upon access to the bank's web site
Jeez, sort of like armed robbery in real life with a huge haul, right? Funding what agenda, I wonder. My smaller bank is based in the Caribbean, surprising that such a large banking conglomerate fell victim to this. I use a dumb phone--no online banking ever. Shameful security for such a large bank with such assets.
A bit more on this attack from Kaspersky: https://threatpost.com/lessons-from-top-to-bottom-compromise-of-brazilian-bank/124770/ What is really pathetic is this abuse of Avenger was well known dating back to 2008. The latest alert I could find on it was here: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=395 . Also Avenger only works as best as I could determine on pre-Win 8 OS versions implying the target bank was running Win 7 on its endpoints. -EDIT- OMG! Not the first time a legit anti-rootkit tool was abused by malware. It happen in 2009 using GMER. You can read about that here: http://news.softpedia.com/news/Bank...ootkit-Tool-to-Kill-Security-App-124891.shtml . Now get this. The attack was also done against a Brazilian bank. Want to bet its the same bank the current attack was successful against?
