Trend Micro researchers recently came across several suspicious-looking domains hosting a malicious download called ChromeSetup.exe, which specifically targets Latin American online banking customers.
"An analysis of the file ChromeSetup.exe done by my colleagues Roddell Santos and Roland dela Paz verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ," writes TrendLabs' Brian Cayanan. "Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites."
"Then, when a user tries to access a legitimate bank site, the Trojan TSPY_BANKER.EUIQ intercepts the page request and displays a 'Loading system security' dialog box, tricking users into thinking that the website is loading security software when it's actually redirecting them to the fake banking website," writes Threatpost's Anne Saita. "To aid in a data heist, another component of the BANKER malware, as it's called, uninstalls software called GbPlugin, which is designed to protect Brazilian bank customers during online banking."
"Trend Micro gained access to a log file associated with the C&C servers that were managing this strain of BANKER and saw the number of PCs infected with the malware quickly multiply," writes InformationWeek's Mathew J. Schwartz. "'During the time the C&C panel was analyzed ... the phone-home logs jumped from around 400 to nearly 6,000 in a span of 3 hours. These logs are comprised of 3,000 unique IP addresses, which translates [into] the number of machines infected by the malware,' Cayanan said."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"You can protect yourself and your online banking sessions by making sure any site that requires you to enter your financial information is secured with 'HTTPS' encryption -- look for 'HTTPS' highlighted in green and a picture of a lock in your Web browser," advises MSNBC's Matt Liebowitz. "If a website seems suspicious, or requests information you don't feel comfortable handing over, do not trust it."