Trojan Mimics Chrome Installer to Steal Banking Information

ID THREATPOST:A6D74E88E519E41D926C9D5D06F7513D
Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:32:13


Malware impersonating a Google Chrome Installer is actually stealing data while stripping software used to protect online banking transactions. The Trojan at present appears to target users in Brazil and Peru.

Trend Micro researchers report in a blog post that they have discovered a malicious file called ChromeSetup.exe hosted in domains such as Facebook, MSN,, and Google. Most appear tied to Brazil since .br or br. appears in the URLs.

Once downloaded from a site, the malware relays an infected machine’s IP address and operating system to a C&C server. Then, when a user tries to access a legitimate bank site, the Trojan TSPY_BANKER.EUIQ intercepts the page request and displays a “Loading system security” dialog box, tricking users into thinking that the website is loading security software when it’s actually redirecting them to the fake banking website.

To aid in a data heist, another component of the Banker malware, as it’s called, uninstalls software called GbPlugin, which is designed to protect Brazilian bank customers during online banking. “It does this through the aid of gb_catchme.exe – a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas,” according to threats analyst Brian Cayanan.

While analyzing the C&C panel, Trend Micro researchers saw a spike in phone home logs from 400 to almost 6,000 in a three-hour span – suggesting a malware outbreak or possibly stumbling upon a migration to the C&C server. This represented 3,000 compromised machines, according to the post.

The server then “became inaccessible.”

There’s evidence the malware has evolved since being found in the wild. Initially, the Banker malware required three components be installed separately. Newer samples suggest all three components are now wrapped into one package.

“It looks like this malware is still under development and we may still see improvements in future variants. Roland (de la Paz) also mentions that he came across a likely related C&C that surface last October 2011, which indicates that the perpetrators behind this threat aren’t new in the scene,” wrote Cayanan, who also worked with a third researcher, Roddell Santos, on the Banker malware investigation.

“While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware,” Cayanan wrote. “We will continue our investigation related to this incident and will update this blog with our findings.

“Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google.”