New Banking Trojan Abuses Public Platforms Including YouTube

What has happened?

• After being installed on the target machine, it triggers fake overlay windows to collect sensitive information and financial credentials from the victims.
• The malware abuses Pastebin and YouTube services to manage its remote configuration settings in a very simple format, where three entries are added by ":" as a separator between the DATA:{ and } markers.
• Each entry is separately encrypted with the key hardcoded in the binary that makes it harder to decrypt the configuration.
• It can simulate mouse clicks, keyboard actions, hijack PC’s shutdown/restart functions, kill browser processes, and take screenshots. The malware shows no sign of continuous development.

Operational insights

• In recent campaigns, phishing messages and ZIP attachments were being sent to users in which a decoy ZIP file is downloaded alongside an actual ZIP file. 
• This file has a CAB archive with a valid software app, an injector, and the trojan. The trojan is stored inside a large BMP image file.
• The injector is side-loaded after the software app is executed. The trojan is then decrypted using an XOR algorithm and key.
• The attacks are not that sophisticated, limiting the trojan’s success in comparison to its contemporaries, such as Mekotio and Grandoreiro.

Conclusion