BREX_BANKER.ACE

This Trojan Spy arrives as an attachment to email messages mass-mailed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives as an attachment to email messages mass-mailed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• https://{BLOCKED}anotherrace.com/javascript/log3.php?logins=1

NOTES:

This is a Google browser extension named IDKEY STOR.

This malware looks for the following strings first before its executing malicious routine:

• "fetuar "
• "agar "
• "agamento "
• "sign "
• "ontinu "
• "inaliza "
• "cessa "
• "confirma "
• "ok "
• "ntra "
• "avan "
• "ogin "
• "uber "

It also triggers its malicious routine when following buttons are clicked:

• "#idSIButton9"
• "#signIn"
• "#login-signin"
• "#idbtn1"

It monitors all visited websites and gathers the following information:

• location.hostname
• location.href
• HTML input elements with the ff. types:
  • password
  • text
  • email
  • tel
  • number
  • hidden

It also has bar-code(boletos) tampering capability targeting following legitimate banking websites:

• [banco.brades]co.com.br/html/classic/produtos-servicos/outros/2-via-de-b
• [ba]nkline.itau.com.br
• https://www.losangonet.com.br/Commons/asp/BarcodeImage.aspx?G=003&C={credentials}

It gathers tampering information from:

• https://{BLOCKED}anotherrace.com/salsa10/index.php?lendo=