Infostealer.Bancos: The Application’s Digital Signature Cannot be Verified

The application's digital signature cannot be verified. Do you want to run the application?

By: Rodrigo Calvo, CISSP
      Sebastian Brenner, CISSP

Infostealer.Bancos is a detection name used by Symantec to identify particular malicious software programs that gather confidential financial information from compromised computers. It first appeared in the summer of 2003 and targeted mainly Brazilian banks. Initially, these Trojans targeted one particular financial institution per variant. However, this method was not always successful. Therefore, in order to increase the success rate, the malware authors began targeting multiple financial institutions per variant. As such, Infostealer.Bancos branched out to include other Latin American banks.

The Old Trick: Social Engineering

Recently, we have received alerts from customers in Latin America regarding email messages containing suspicious information about real estate and curriculum vitaes, including corresponding links to “access more details.” Symantec cautions recipients to be wary of email that comes from an unexpected source. The spammer changes the content of the email every few days—the sample given below is one example that we have observed:

Email Translation:

Dear gentlemen, the motive of this email is to attach my curriculum vitae according to the new process requested by your company. Regards.

As usual, the spammer tries to grab the attention of the recipient, who may innocently click on the link. However, instead of opening up a Word document, the user will be redirected to a website:

http://...../....riverocurriculumvitaejulioactuali...

The site takes a few seconds to load, and then suddenly asks the user to accept a spoofed Java certificate in order to continue with the process:

If the user clicks on “Cancel,” the Java Certificate Warning box will appear again a few seconds later. When the user decides to accept and click on “Run,” nothing seems to happen.

Behind the Scenes

What the user is not able to see is that the Java applet will create an additional malicious Java applet that, once run, will completely compromise the computer.

The strategies of this Infostealer.Bancos variant are as follows:

•    Installs a downloader
•    Modifies different registry keys
•    Establishes connections to two different IP addresses
•    Runs a keylogger and records the data on an .html .txt file under a specific folder. This is a sample of what is saved to the file:

This Infostealer.Bancos variant is responsible for, like other variants, stealing confidential financial information, collecting email addresses, and deleting predetermined files from compromised machines. We caution users not to open or click on the links or attachments in emails such as the sample discussed in this blog. Symantec recommends having anti-spam and antivirus solutions installed and ensuring they are up to date to prevent the compromise of personal machines or networks.