The new malware, dubbed XPCTRA, can steal users credentials for banking credentials, bitcoin cryptocurrency wallet Blockchain.info, online e-payment service PerfectMoney, e-wallet provider Neteller, as well as email credentials.
The threat was discovered and analyzed by Morphus Labs CRO (and SANS ISC incident handler) Renato Marinho.
He spotted the malware being delivered via links in spam emails. The link supposedly leads to a bank bill in PDF form, but actually downloads XPCTRA’s dropper component. The dropper contacts the C&C server and downloads the other malware parts bundled in an executable named idfptray.exe.
Look at the diagram shown above and the textual description below to understand the threat flow, from malicious e-mail to data theft:
- The infection vector (malspam) links to a supposed PDF invoice, which actually leads the victim to download an executable file (dropper);
- Once executed, the dropper downloads a “.zip” file, unzips and executes the malware payload;
- It then begins a series of actions, including:
- Persists itself into the OS, in order to survive system reboot;
- Changes Firewall policies to allow the malware to communicate unrestrictedly with the Internet;
- Instantiates “Fliddler”, an HTTP Proxy that is used to monitor and intercept user access to the financial institutions;
- Installs the Fiddler root certificate to prevent the user from receiving digital certificate errors;
- Points Internet Browsers settings to the local proxy (Fiddler);
- Monitors and captures user credentials while accessing the websites of 2 major Brazilian banks and other financial institutions;
- Stolen credentials are sent to criminals through an unencrypted C&C channel;
- Establishes an encrypted channel to allow the victim’s system to be controlled by the attackers (RAT);
- Monitors and captures user credentials while accessing email services like Microsoft Live, Terra, IG and Hotmail. These accesses are used to spread the malware further;
This particular variant seems to have been designed to target users in Brazil, but it doesn’t mean that there aren’t other variants or similar malware that targets users in the rest of the globe.