TSPY_DRIDEX.YYSOY

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware/spyware from remote sites.

It connects to a website to send and receive information.

It modifies the Internet Explorer Zone Settings.

It steals certain information from the system and/or the user.

It deletes itself after execution.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by other malware/grayware/spyware from remote sites.

Installation

This spyware injects codes into the following process(es):

• explorer.exe

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CLSID\{GUID}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CLSID\{GUID}\ShellFolder

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CLSID\{GUID}\ShellFolder
{random} = {encrypted configuration file}

Backdoor Routine

This spyware connects to the following websites to send and receive information:

• {BLOCKED}.{BLOCKED}.92.20:443
• {BLOCKED}.{BLOCKED}.100.131:443
• {BLOCKED}.{BLOCKED}.171.198:444
• {BLOCKED}.{BLOCKED}.43.57:443
• {BLOCKED}.{BLOCKED}.75.21:443
• {BLOCKED}.{BLOCKED}.107.19:4443

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

• {BLOCKED}.{BLOCKED}.38.36:473
• {BLOCKED}.{BLOCKED}.237.112:473
• {BLOCKED}.{BLOCKED}.136.31:473

Information Theft

This spyware steals the following information:

• Online banking/Social networking sites credentials
• Other login credentials (see URL list below for more details)
• Browser screenshots

It gathers the following data:

• Username
• Computer name
• Installation date
• Installed programs and version

Other Details

This spyware deletes itself after execution.

NOTES:

This spyware uses the following regular expressions in monitoring sites where is steals login credentials:

• (|\.)alstats\.com
• uni\.ibank\.nbg\.gr
• www7\.onlinebanking\.natwestoffshore\.com
• staticres\.klikbca\.com
• www7\.rbsdigital\.com
• www3\.bankline\.rbs\.com
• check\.tsb\.co\.uk
• www7\.ulsterbankanytimebanking\.co\.uk
• www7\.ulsterbankanytimebanking\.ie
• www3\.bankline\.ulsterbank\.co\.uk
• www3\.bankline\.ulsterbank\.ie
• pioneer\.co\-operativebank\.co\.uk
• mc3\.retail\.santander\.co\.uk
• yellow\.co\-operativebank\.co\.uk
• www3\.bankline\.natwest\.com
• tppa\.bmo\.com
• www7\.onlinebanking\.natwestoffshore\.com
• www\.t32\.pnc\.com
• pane\.bankofamerica\.com
• www\.u43\.pnc\.com/pressroom
• www\.isbank\.com\.tr/Internet/images7
• fbds7\.tangerine\.ca
• www7\.suntrust\.com
• tts\.dlbank\.be
• iss\.gtbank\.com
• www7\.nwolb\.com
• b8k\.nationwide\.co\.uk
• smetrics\.nationwide\.co\.uk
• road\.nationwide\.co\.uk
• roll\.nationwide\.co\.uk
• cws\.bankline\.rbs\.com
• cws\.bankline\.natwest\.com
• nsc\.natwest\.com
• nsc\.rbs\.co\.uk
• nsc\.ulsterbank\.co\.uk
• sc\.natwest\.com
• sc\.rbs\.co\.uk
• sc\.ulsterbank\.co\.uk
• marketing\.lloydsbank\.co\.uk
• marketing\.bankofscotland\.co\.uk
• marketing\.tsb\.co\.uk
• .*\.member-hsbc-group\.com
• mcmprod\.hsbc\.co\.uk
• cdn\.bankofscotland\.co\.uk
• lab\.lloydsbank\.com
• check\.lloydsbank\.co\.uk
• check2\.lloydsbank\.co\.uk
• check\.bankofscotland\.co\.uk
• check2\.bankofscotland\.co\.uk
• cs\.directnet\.com/dn/csd/u4F
• grey\.smile\.co\.uk
• u8n\.business\.santander\.co\.uk
• www7\.secure\.investec\.com
• press\.retail\.santander\.co\.uk
• images\.coventrybuildingsociety\.co\.uk
• www\.bankline\.natwest\.com/CWSLogon/analytics
• www\.bankline\.ulsterbank\.ie/CWSLogon/analytics
• www\.bankline\.ulsterbank\.co\.uk/CWSLogon/analytics
• www\.bankline\.rbs\.com/CWSLogon/analytics
• metrics\.barclays\.co\.uk
• smetrics\.barclays\.co\.uk
• media\.barclays\.co\.uk
• resources\.barclays\.co\.uk
• cdn\.riyadonline\.com
• rac\.bankia\.es
• web12\.columbiabank\.com
• marketing\.halifax\-online\.co\.uk
• room\.business\.santander\.co\.uk
• indigo\.co\-operativebank\.co\.uk
• reporting\.cbonline\.co\.uk
• cdn\.retail\.metrobankonline\.co\.uk
• img3\.moneygram\.com
• mujcz\.erasvet\.cz
• liveperson\.net
• .*\.levexis\.com
• .*\.omtrdc\.net
• .*\.doubleclick\.net
• .*\.servicetick\.com
• .*\.2o7\.net
• .*\.parastorage\.com
• .*\.webtrendslive\.com
• webtrends\.com
• .*\.creativevirtual\.com
• .*\.tiqcdn\.com
• .*\.serving-sys\.com
• .*\.maxymiser\.net
• .*\.atdmt\.com
• splash-screen\.net
• www\.analytics\-control\.com
• .*\.smartsourceportal\.com
• .*\.na1\.netsuite\.com
• .*\.userreplay\.net
• .*\.sessioncam\.com
• .*\.intenthq\.com
• .*\.tribalfusion\.com
• .*\.mookie1\.com
• .*\.adnxs\.com
• assets\.adobedtm\.com
• .*\.jwpcdn\.com
• .*\.mediaplex\.com
• ecomm/logrequest
• xbretibx
• sucmetrics\.unicredit\.it
• cem\.halifax\-online\.co\.uk
• cembusiness\.lloydsbank\.co\.uk
• online\.nwolb\.com
• chat\.nwolb\.com
• chat\.rbsdigital\.com
• chat\.ulsterbankanytimebanking\.co\.uk
• \.(swf)($|\?)
• /isapi/ocget.dll
• ^http://realcdcnet/
• ^http://multiversa.*/
• ^http://nanterre/
• ^https?://aol.com/.*/login/
• ^https?://accounts.google.com/ServiceLoginAuth
• ^https?://login.yahoo.com/
• ^https?://login.live.com/
• ^https?://(\w+\.)?aol.com
• ^https?://(\w+\.)?facebook.com/
• ^https?://(\w+\.)?google
• ^https?://(\w+\.)?yahoo
• ^https?://(\w+\.)?youtube.com
• ^https?://(\w+\.)?live.com
• ^https?://(\w+\.)?twitter.com
• ^https?://(\w+\.)?vk.com
• ^https.*ocsp\..+$
• ^https.*safebrowsing\..+$
• ^https?://fhr\.data\.mozilla\.com
• ^https://s.*\.symcd\.com
• ^https://s.*\.symcb\.com
• ^https.*ocsp2\..+$
• localhost.+skypectoc/.+$
• \.messenger\.live\.com
• pipe\.skype\.com
• \.optimatic\.com
• hiro\.tv
• spotxchange\.com
• nielsen\.com
• mapquest\.com
• ^https://.+\.skype\.com/api/
• (//|\.)lphbs.com
• (//|\.)zynga.com
• urs\.microsoft\.com
• ^https://ibank1\.bib\.barclays\.com/logon/bibapplication.+LOGON\.VALIDATE\.SIGNED
• ^https://cashmanagement\.barclays\.net/portalservices/forms/login\.pser\?TYPE.+cashmanagement
• ^https://corporate\.santander\.co\.uk/LOGSCU_NS_ENS/BtoChannelDriver\.bto
• ^https://corporate\.santander\.co\.uk/(SCU_AUTHOR_ENS|SCU_PAYMNT_ENS)/
• ^https://entreprises\.societegenerale\.fr/
• ^https://entreprises\.certif\.societegenerale\.fr/authent\.html
• ^https://entreprises\.secure\.societegenerale\.fr/authent\.html
• ^https://professionnels\.secure\.lcl\.fr/outil/UAUT/Accueil/preRoutageLogin
• ^https://www\.labanquepostale\.fr/grands-institutionnels\.html
• ^https://www\.labanquepostale\.fr/entreprises\.html
• ^https://www\.labanquepostale\.fr/grandes-entreprises\.html
• ^https://www\.labanquepostale\.fr/professionnels\.html
• ^https://professionnels\.secure.societegenerale\.fr/$
• ^https://professionnels\.societegenerale\.fr/$
• ^https://secure1\.entreprises\.bnpparibas\.net/sommaire/jsp/identification\.jsp
• ^https://entreprises\.bnpparibas\.net/NSAccess
• ^https://www2\.bancopopular\.es/
• ^https?://www\.ce-g3-enligne\.credit-agricole\.fr/
• ^https://www\.normand-g3-enligne\.credit-agricole\.fr/stb/
• ^https?://www\.ca-paris\.fr/
• ^https?://www\.net\d+\.caisse-epargne\.fr/
• ^https://www\.anjou-maine-ediweb\.credit-agricole\.fr
• ^https://statso\.par\.societegenerale\.fr
• ^https://.+\.fr/stb/entreeBam
• ^https?://particuliers\.secure\.societegenerale\.fr
• ^https://www\.caisse-epargne\.fr/particuliers/normandie/accueil\.aspx
• ^https://rib\.ecobank\.com/ecobankburkina/internet
• ^https://.*/fi\d+/bb/logon
• ^https://corporate\.adcb\.com/corporateWeb/
• ^https://ibb\.aibgb1\.co\.uk/ibb/controller
• ^https://ibusinessbanking\.aib\.ie/ibb/controller
• ^http://business.aib.ie/(business|)login
• ^https://apib\d*\.anz\.com/apinetbank/(Startup|LoginEsInetANZ)\.aspx(\?|$)
• ^https://online\.adambank\.com/eBankingAdamLogin/login
• ^https://cib\.affinonline\.com/business/login\.html
• ^https://ibank\.agribank\.com\.vn/ibank/index\.jsp
• ^https://www\.mybusinessbank\.co\.uk/cs70\_banking/logon/slogon
• ^https://www\.allianceonline\.net\.my/Corporate/welcome\.htm
• ^https://ambank\.amonline\.com\.my
• ^https://www\.amesecurities\.com\.my/gc/main\.jsp
• ^https://ibank\.bni\.co\.id/corp/AuthenticationController
• ^https://cib\.bochk\.com/login/fis/cib\_login012\_.*\.jsp(\?|$)
• ^https://ibank\.bri\.co\.id/cms/
• ^https://ib\.bri\.co\.id/ib\-bri/Login\.html
• ^https://bizibanking\.bangkokbank\.com/bblamsui/Signon.*\.aspx
• ^https://www\.bankislam\.biz/rib/login/index
• ^https://leumionline\.bankleumi\.co\.uk/my\.policy
• ^https://ib\.bankmandiri\.co\.id/retail/Login\.do
• ^https://cib\.bochk\.com/login/cib\_login012\_.*\.jsp(\?|$)
• ^https://eb\.bankcomm\.com\.hk/eb/login\.action(\?|$)
• ^https://online\.bankofcyprus\.co\.uk/netteller/login\.faces
• ^https://biz\.hkbea\-cyberbanking\.com/servlet/MA01Show(\?|$)
• ^https://www\.boi\-bol\.com/newHome\.jsp
• ^https://www\.boi\-bol\.com/comLogon\.jsp
• ^https://banking\.bankofscotland\.co\.uk/Logon/Logon\.aspx(\?|$)
• ^https://online\-business\.bankofscotland\.co\.uk/business/logon/login\.jsp(\?|$)
• ^https://private\.bankofsingapore\.com/IPBWBWeb/Login/.+\.aspx(\?|$)
• ^https://cashmanagement\.barclays\.net/portalservices/forms/login\.pser
• ^https://www\.barclayswealth\.com/login/action/logon/unauthenticated/personal/loginDetails
• ^https://connect\.barclays\.com/.*authen
• ^https://www\.fundsdirect\.co\.uk/bks/login\.aspx\?bksid=beaumont
• ^https://secure\.cafbank\.org
• ^https://corporate\.cbq\.com\.qa
• ^https://www\.bizchannel\.cimb\.com\.sg/corp/common\d*/login\.do(\?|$)
• ^https://www\.ebanking\.cimbthai\.com/cash/logon\.jsp
• ^https://www\.citibusiness\.citibank\.com\.sg/SGCBZ/JSO/signon/DisplayCinSignon\.do(\?|$)
• ^https://securebank\.cahoot\.com/servlet/com\.aquariussecurity\.bks\.security\.authentication\.servlet\.LoginEntryServletBKS
• ^https://cardsonline\-commercial\.com/RBSG\_Commercial/.*Login\.do
• ^https://www\.caterallenonline\.co\.uk/WebAccess\.dll
• ^https://www\.citibank\.com\.my/MYGCB/JPS/portal/Index\.do
• ^https://business\.co\-operativebank\.co\.uk/corp/BANKAWAY
• ^https://fdonline\.co\-operativebank\.co\.uk/corp/BANKAWAY
• ^https://cbfm\.saas\.cashfac\.com/cbfm/
• ^http://www\.co\-operativebank\.co\.uk/corporate/fdo\-noticeboard
• ^http://www\.co\-operativebank\.co\.uk/business/businessonlinebanking/bobs\-noticeboard
• ^https://cbionline\.cbi\.ae/bus/security/companyLogin\.jsp
• ^https://www\.cbdibusiness\.ae/cb/servlet/cb/login\.jsp($|\?)
• ^https://online\.coutts\.com/eBankingCouttsLogin/login
• ^https://www\.credit\-suisse\.com\.sg/amserver/UI/Login(\?|$)
• ^https://ideal\.dbs\.com/loginSubscriber/login/(SubscriberLoginServlet|pin\.jsp)
• ^https://www\.danamonline\.com/onlinebanking/Login/lgn_new\.aspx
• ^https://business\d*\.danskebank\.(co\.uk|com)/pub/logon/logon\.aspx
• ^https://.*\.directnet\.com/dn/c/cls/auth
• ^https://online\.dib\.ae/webapplication\.ui/localoperations/login/corporateloginpage\.aspx
• ^https://login\.smartbusiness\.ae/
• ^https://online\.fgb\.ae/fgbcorporate/CorpLogin\.html?(\?|$)
• ^https://www\d+\.firstdirect\.com/1/2/
• ^https://www\.fbo\.fubonbank\.com\.hk/fboPortal/index\_e\.jsp(\?|$)
• ^https://www\.hsbc\.com\.cn/1/2/.+
• ^https://www\.hsbc\.com\.sg/1/2/.+
• ^https://www\.hsbc\.com\.vn/1/2/
• ^https://www\.halifax\-online\.co\.uk/personal/logon/login\.jsp
• ^https://ebusiness\.hangseng\.com/1/2/
• ^https://ebank\.eonbank\.com\.my/cashmgmt/security/commonLogin\.jsp($|\?)
• ^https://www\.hongleongonline\.com\.my/business/public/main\.html
• ^https://ibps\.hpb\.hr/HPB\.iBank\.IBPS\.Web/login\.iface
• ^https://ibank\.hncb\.com\.hk/netbank/pages/jsp/HKLogin/html/HKLogin\_en\.jsp(\?|$)
• ^https://cib\.icicibank\.com\.sg/CIBSGAPP/BANKAWAY(\?|$)
• ^https://(corpebankasia|corpebank)\.icbc\.com\.cn/icbc/corporbank/index.*\.jsp(\?|$)
• ^https://www\.onlinebanking\.iombank\.com/(login|default)\.aspx
• ^https://www\.onlinebanking\.iombank\.com/(login|default)\.aspx
• ^https://www\.iombankibanking\.com/eai/IPB_EAI_Web/
• ^https://ebank\.kasikornbankgroup\.com/kbiznet/login.*\.html
• ^https://ws\d+\.kasikornbank\.com/baliweb/\d+/site/defaultskin/.*/html/static/logon\.htm
• ^https://www\.kbc\.be/
• ^https://vpn\.tarumanagara\.com/\+CSCOE\+/logon\.html
• ^https://singapore\.lbbw\-business\.com/LBBWCorpWeb/login/.+\.action(\?|$)
• ^https://mcm\.bankmandiri\.co\.id/corp/common/login\.do\?action=login
• ^https://mib\.bankmandiri\.co\.id/sme/common/login\.do\?action=login
• ^https://www\.maybank2u\.com\.my/mbb/m2u/common/mbbLoginCheckAdapt\.do
• ^https://www\.maybank2u\.com\.my/mbb/m2uNOW/common/mbbLoginCheckAdapt\.do
• ^https://sslsecure\.maybank\.com\.sg/cgi\-bin/mbs/scripts/mbb\_login\.jsp(\?|$)
• ^https://www\.maybank2e\.net/M2E/mbbcustomer/
• ^https://(retail|corporate)\.metrobankonline\.co\.uk
• ^https://cardservicing\.mint\.co\.uk/RBSG\_Consumer/Login\.do
• ^https://cbs\.ncbchina\.cn/corporbank/login\_basic\_e\.jsp(\?|$)
• ^https://online\.nbad\.com/iportalweb/iportal/jsps/orbilogin\.jsp
• ^https://nbf\.ae/corporate/BANKAWAY(;|\?|$)
• ^https://nbqonline\.ae/corp/BANKAWAY\?Action\.CorpUser\.Init
• ^https://ib\d*\.npbs\.co\.uk/IB\.Web/Login\.aspx
• ^https://bbmy\.ocbc\.com
• ^https://elementa\.otpbanka\.hr/gradjani/.*/foweb/nb/eLEMENTa
• ^https://www\.otpbanka\.hr/english/welcome\.htm
• ^https://www\.otpbanka\.hr/html/dobrodosli\.htm
• ^https://net\.pbz\.hr/pbz365/logon.*
• ^https://www\.permatae\-business\.com/corp/common/login\.do\?action=login
• ^https://e\-finance\.postfinance\.ch/(ef/secure|secure/fp)/html/
• ^https://professionalson\-line\.bankofscotlandbusiness\.co\.uk/\_mem\_bin/formslogin\.asp
• ^https://(edi|del|hkg|lon|sta)\.my\.rbs\.com
• ^https://access\.rbsm\.com/logon/(password|dp300)/.+\.fcc(\?|$)
• ^https://logon\.reflex\.rhbbank\.com\.my/rhbcams/corporate/login\.jsp
• ^https://business\.santander\.co\.uk/LGSBBI\_NS\_ENS/
• ^https://corporate\.santander\.co\.uk/LOGSCU_NS_ENS/
• ^https://www\.sbnet\.splitskabanka\.hr/priv/.*/dciweb\.htm
• ^https://vpn.*\.sjp\.co\.uk/vpn/vpnloginpage\.html
• ^https://s2b\.standardchartered\.com/ssoapp/(login\.jsp|core\.security\.login\.event)
• ^https://sme\.standardchartered\.com/commonapp/core\.security\.vascochallenge\.event
• ^https://ibank\.standardchartered\.com\.hk/nfs/login\.htm(\?|$)
• ^https://ibank\.standardchartered\.com\.sg/nfs/login\.htm(\?|$)
• ^https://www\.onlinesbiglobal\.com/\S+/BANKAWAY($|\?|\;)
• ^https://www\.tescobank\.com/sss/auth
• ^https://banking\.triodos\.co\.uk/ib\-seam/login\.seam\?loginType=dp550
• ^https://ebanking\-ch\d+\.ubs\.com/workbench/Index\.do
• ^https://www\.ucoebanking\.com/BankAwayRetail/.*/web/L001/retail/jsp/user/CorporateSignOn\.aspx(\?|$)
• ^https://uniservices\d*\.uobgroup\.com/(ELO/login\.jsp|wpe/ca/login\.do|wpe/ca/loginForm\.jsp)(\;|\?|$)
• ^https://biz\.uob\.com\.my/ELO/login\.jsp
• ^https://www\.hvbrsce\.com/ebanking/London/EXE/WBankDsp\.exe
• ^https://www\.unb\.com/uninet/main\_login\.asp
• ^https://cib\.uab\.ae/
• ^https://www\.unity\-online\.co\.uk
• ^https://www\.vietcombank\.com\.vn/ibanking/Default\.aspx
• ^https://www\.vietinbank\.vn/ipay/vbh/login\.do
• ^https://www\.winglungbank\.com/corpbanking/logon/CbHomLogonInp\.jsp(\?|$)
• ^https://online\.ybs\.co\.uk/public/authentication/login1\.do
• ^https://www\.zaba\.hr/ebank/gradjani/InnerLogin\.jsp
• ^https://www\.irakyat\.com\.my/retail/security/commonLogin\.jsp
• ^https://ibank\.klikbca\.com
• ^https://www\.mybsn\.com\.my/mybsn/login/login\.do
• ^https\://.*/tdsecure/intro\.jsp.*
• ^https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*aib\.visa&.*
• ^https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*aib\.mc&.*
• ^https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*SAGA&.*
• ^https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*ftb\.visa&.*
• ^https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*ftb\.mc&.*
• ^https\://secure.*\.arcot\.com/acspage/cap\?RID\=.*
• ^https\://tsys\.arcot\.com/acspage/cap\?RID\=.*
• ^https\://cap\.securecode\.com/acspage/cap\?RID\=.*
• ^https\://www\.citibank\.co\.in/acspage/cap_nsapi\.so\?RID\=.*
• ^https\://www\.mycardsecure\.com/acspage/cap\.dll\?RID\=.*
• ^https\://acs\.icicibank\.com/acspage/cap\?RID\=.*
• ^https\://cardsecurity\.standardchartered\.com/acspage/cap\?RID\=.*
• ^https\://i3d\.borica\.bg/acspage/cap\?RID\=.*
• ^https\://acs-ch\.cal-online\.co\.il/acspage/cap\?RID\=.*
• ^https\://3dsecure\.paylife\.at/acspage/cap\?RID\=.*
• ^https\://3ds\.cardcenter\.ch/acspage/cap\?RID\=.*
• ^https\://www\.sebkort\.com/skm/acspage/cap\?RID\=.*
• ^https\://acs1\.viseca\.ch/acspage/cap\?RID\=.*
• ^https\://3dsecure\.icscards\.nl/acspage/cap\?RID\=.*
• ^https\://acs\.swisscard\.ch/acspage/cap\?RID\=.*
• ^https\://3ds\.jccsecure\.com/acspage/cap\?RID\=.*
• ^https\://secure-code\.mlp\.de/acspage/cap\?RID\=.*
• ^https\://securecode\.abnamro\.nl/acspage/cap\?RID\=.*
• ^https\://acs\.netcetera\.ch/acspage/cap\?RID\=.*
• ^https\://securecode\.ing\.nl/acspage/cap\?RID\=.*
• ^https\://netsafe\.hdfcbank\.com/ACSWeb/jsp/.*
• ^https\://secure\.axisbank\.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer.*
• ^https\://www\.3dsecure\.icicibank\.com/ACSWeb/EnrollWeb/ICICIBank/server/AccessControlServer.*
• ^https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/server/AccessControlServer.*
• ^https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/auth/VBV\.jsp.*
• ^https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/auth/SCode\.jsp.*
• ^https\://3dsecure\.acb\.com\.vn/ACB/jsp/.*
• ^https\://cards\.indusind\.com/IndusindBank/jsp/.*
• ^https\://corpbank\.electracard\.com/corpbank/jsp/.*
• ^https\://www\.securepay\.hsbc\.co\.in/SecurePay/servlet/Authenticate.*
• ^https\://acs\.onlinesbi\.com/sbi/jsp/.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/CanaraBank/server/AccessControlServer.*
• ^https\://pnb\.electracard\.com/pnb/jsp/.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/IndianBank/server/AccessControlServer.*
• ^https\://sparda\.wlp-acs\.com/flowGlobal\.wflow.*
• ^https\://acs3\.3dsecure\.no/mdpayacs/pareq.*
• ^https\://bankaljazira\.cardinalcommerce\.com/transaction/.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/KotakBank/server/AccessControlServer.*
• ^https\://cosacs\.electrapay\.com/CosmosBank/jsp/.*
• ^https\://3dsecure\.ing\.ro/acs/auth/.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/BOB/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/BOBCards/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/DenaBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/KVB/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/FederalBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/UCOBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/IOB/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/CorporationBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/JKBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/ComBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/SeylanBank/server/AccessControlServer.*
• ^https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/AndhraBank/server/AccessControlServer.*
• ^https\://acs4\.3dsecure\.no/mdpayacs/pareq.*
• ^https\://avantcard\.cardinalcommerce\.com/transaction/.*
• ^https\://ubi\.electracard\.com/ubi/jsp/.*
• ^https\://cbi\.electracard\.com/cbi/jsp/.*
• ^https\://sibacs\.electrapay\.com/SouthIndianBank/jsp/.*
• ^https\://santanderpbvisa\.cardinalcommerce\.com/.*
• ^https\://santanderpbmc\.cardinalcommerce\.com/.*
• ^https\://thinkmoney\.cardinalcommerce\.com/.*
• ^https\://kfh-b\.cardinalcommerce\.com/transaction/.*
• ^https\://ibqmc\.cardinalcommerce\.com/.*
• ^https\://stanbicibtcbankweb\.cardinalcommerce\.com/transaction/.*
• ^https\://eurobankvisa\.cardinalcommerce\.com/.*
• ^https\://ibqvisa\.cardinalcommerce\.com/.*
• ^https\://ubagroup\.cardinalcommerce\.com/transaction/.*
• ^https\://sambabankmc\.cardinalcommerce\.com/.*
• ^https\://eurobankmc\.cardinalcommerce\.com/.*
• ^https\://savcreditmc\.cardinalcommerce\.com/.*
• ^https\://savcreditvisa\.cardinalcommerce\.com/.*
• ^https\://sambabankvisa\.cardinalcommerce\.com/.*
• ^https\://alphabank\.cardinalcommerce\.com/transaction/.*
• ^https\://marfinbank\.cardinalcommerce\.com/transaction/.*
• ^https\://www\.monetaonline\.it/acs/insertPassword\?brand\=MasterCard.*
• ^https\://www\.monetaonline\.it/acs/insertPassword\?brand\=Visa.*
• ^https\://acs\.sia\.eu/cartasi/pareq/.*
• ^https\://secure\.edb\.com/d3SecureAuthce2/d3Secure/authentication/post.*
• ^https\://.*personal\.co-operativebank\.co\.uk.*
• ^https\://login\.myproducts\.tescobank\.com/arcotafm/saml/controllerCustomTB\.jsp.*
• ^https://home\d*\.cybusinessonline\.co\.uk/lmgru.*/ceblm\-web/
• ^https?://www\.cybusinessonline\.co\.uk/essential\-maintenance/fraud\-message
• ^https://lloydslink\.online\.lloydsbank\.com/Logon/Logon\.jsp
• ^https?://www\.lloydsbankcommercial\.com/servicemessage
• ^https://onlinebanking\.nationwide\.co\.uk/AccessManagement/Login
• ^https://www\.bankline\.natwest\.com/
• ^https://www\.bankline\.rbs\.com/
• ^https?://www.rbs\.co\.uk/corporate/electronic\-services/g1/bankline\.ashx
• ^https://www\.ulsterbankanytimebanking\.co\.uk/(login|default)\.aspx
• ^https://www\.bankline\.ulsterbank\.(ie|co\.uk)/
• ^https://www\.nwolb\.com/(login|default)\.aspx
• ^https://banking\.lloydsbank\.com/Logon/logon\.aspx(\?|$)
• ^https://.*business\.lloydsbank\.co\.uk/business
• ^https://bbank\d+\.ybonline\.co\.uk/ifdu/ifdlm\-web/login\.ctl
• ^https://home\d+\.ybonline.co\.uk/ralu/reglm\-web/login\.ctl
• ^https://ibank\d*\.bib\.barclays\.com/logon/
• ^https://online\-business\.tsb\.co\.uk/business/logon/login\.jsp
• ^https://home\d+\.cbonline.co\.uk/ralu.*/reglm\-web/login\.ctl
• ^https://www\.business\.hsbc\.co\.uk/1/2/
• ^https://clientlogin\.ibb\.ubs\.com/login(\?|$)
• ^https://www\d*\.secure\.hsbcnet\.com/uims/portal/IDV\_OTP\_CHALLENGE(;|$)
• ^https://www\d*\.secure\.hsbcnet\.com/uims/portal/IDV\_CAM10\_AUTHENTICATION(;|$)
• ^https://www\d*\.secure\.hsbcnet\.com/uims/content/public/hibm/logon/usernameInput.+
• ^http://www\d*\.secure\.hsbcnet\.com/uims/content/public/hibm/logon/logon\.html
• ^https://www\.rbsdigital\.com/(login|default)\.aspx
• ^https://www\.integrator\.barclays\.com/idc/html/LoginStep1\.html
• ^https://www\.commercial\.hsbc\.com\.hk/1/2/.+
• ^https://internet\-banking\.hk\.dbs\.com/IB/Welcome(\?|$)
• ^https://internet\-banking\.dbs\.com\.sg/IB/Welcome(\?|$)
• ^https://comnet\.pbz\.hr/PbzComnetWeb/app/logon\.html
• ^https://direkt\.rba\.hr/cgi\-bin/ppz2/start/rbat\.jsp
• ^https://mcsign\.ba\-ca\.com/smartoffice/\_mcologon\?\.\.OASLogon
• ^https://www\.hsbc\.co\.uk/1/2/
• ^https://bank\.barclays\.co\.uk/olb/auth/LoginLink\.action
• ya\.ru
• ^https://www\.nwolb\.com/Brands/RSA_js/fp_AA\.js
• ^https://chat\.nwolb\.com/nwbpwebassets/bottom\.js
• yandex.ru

It may also perform the following:

• Upload/download and/or execute files
• Monitor network traffic
• Add infected host to botnet
• Download updated configuration file
• Download and execute modules (VNC)
• Inject itself to web browsers (i.e. IE, Chrome, Firefox)