While analyzing new malware samples, we found a brazilian banking Trojan that caught our interest: It contains plenty of images – all of brazilian banks and insurances.
It is quite a multi talent when it comes to the bank logins it attacks.
One graphic inside the malware is irritating though as it doesn’t belong to a bank, but is something like a business card of the malware creators:
Using graphics inside the Trojan is strange: Only slight changes on the real banking site suffice and the Trojan shows an outdated page which may rise suspicion. On the other hand, this saves the malware programmer from writing parsers and routines to properly manipulate web sites on-the-fly. In the end this looks like a (not_even_)point-and-shoot-Trojan: It is sent out in masses in the hope that until all antimalware solutions detect it, enough people have fallen victim to it.
The Trojan uses a driver to hook into the system and to hide itself. Also, it tries to delete the updater programs belonging to different antivirus solutions. Currently, we detect this malware as RKit/Banker.O; with the next engine update it will also be detected as TR/ATRAPS.Gen2 for the Trojan component and as TR/Rootkit.Gen2 for the rootkit driver component. Thus Avira users are protected from this threat.