Jumcar is the name we have given to a family of malicious code developed in Latin America particularly in Peru and which, according to our research, has been deploying attack maneuvers since March 2012.
After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.
Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.
Percentage of the phishing attacks by countries
We know that in Latin America the cyber-criminal culture is expanding at great speed. This is evidenced by some of the botnets managed through crimeware developed in the region, which also have the ability to generate customized malware. The botnets we have discovered over the past two years have this capability and we have warned about them at different times. These include vOlk-Botnet, UELP, Chimba-Botnet, AlbaBotnet and PiceBOT.
However, the Jumcar family of malware has completely different characteristics and very particular components compared to those previously mentioned. They share the same goal: to steal financial information; and a common initial infection strategy: email associated with a strong visual social engineering based on false messages.
From a technical perspective, for the moment all variations of this family of malware are developed in .NET, while the usual pattern around malware developed in Latin America (excluding Brazil) is developing malicious projects in VisualBasic.
Likewise, and contrary to common patterns in Latin American malware that obfuscate part of his code through simple hexadecimal conversions, all the Jumcar variants use symmetric and asymmetric cryptographic algorithms to hide the functionality specified in the source code. For this, the malware uses the following classes: System.Security.Cryptography.TripleDES, System.Security.Cryptography.Aes y System.Security.Cryptography.RSA.
The images below highlight the difference in the malware obfuscation implemented in the most popular botnets in the region, compared to the obfuscation used by Jumcar:
Example of hexadecimal conversion in the configuration parameters of malicious code propagated through S.A.P.Z., vOlk-Botnet, PiceBOT and AlbaBotnet
Configuration parameters of the Jumcar malware encrypted with RSA
The patterns that distinguish this family of malware are:
- Campaigns to spread and infect are always by email.
- The social engineering strategy is based on the Facebook image in the email message and in the name of the file downloaded (e.g.: facebook.exe). Also in emails supposedly issued by Peruvian banks.
- The size of the variants does not exceed 44kB.
- The icons used also concern Facebook in 80% of cases; the other 20% involve icons that hint at a mobile phone company and one percent to the native icon of programming languages .NET and VB. That is, 8 out of 10 samples used a Facebook icon image.
Icons used in the different variants of Jumcar
- Once the system is infected, the malware is auto-renamed using names related to Microsoft Windows (e.g.: Windows Defender.exe).
- The dynamic parameters of the malware are encrypted with algorithms AES, 3DES and RSA.
- The first variants generated a key in the Windows registry to automate startup, but most recently this has not been the case only limited to a "ghost attack" through pharming. Unlike other malwares, it doesn't load a malicious process and delete itself. It will only modify the hosts file. This way, there are no malicious files on the computer, but the user will still be a victim of the phishing attack each time they visit the banking website because of the hosts file modification.
- The programming language used to create Jumcar is .NET without packing.
- The malware creates a folder and specific file, in the same folder, with XLSX or DOCX extension.
- All the websites used for campaigns are compromised using some vulnerability, and the attackers then uses them to store the pharming file, a mass-mailer and a backdoor.
- The main objective is targeting the Peruvian community.
The propagation campaigns are compatible with classical visual social engineering strategies that rely on sending fraudulent emails, using two different channels of attack:
- A message purportedly issued by Facebook with the subject "Facebook Message" (or similar), with the logo of the social network, that direct traffic to file called "Mensaje_Facebook_Privado.php" (or similar), which has the necessary instructions for downloading the Jumcar variant.
- A message supposedly issued by a major bank in Peru that directs traffic to the clone of the website of the bank in question. This is the classic phishing attack.
Malicious message delivered by email. It is one of the spread strategies used for Jumcar
All variants of Jumcar are hosted on previously compromised websites. In other words, the attacker does not register domain names as part of the strategy of propagation.
They also implant a phishing pack used to steal information from unsuspecting users. This includes a plain text file with the configuration for the hosts file on each of the victim machines, the mass-mailer used to send large volumes of deceptive emails, and a backdoor that allows the attacker to access and upload new variants of the malware.
Jumcar has had a high impact in recent months and has been geographically focused. In the following chart we can clearly see, in red, that the levels of infection have been most successful in Peru and Chile:
Peru and Chile are the countries with the highest rate of infection through Jumcar
We analyzed over 50 samples belonging to the Jumcar family. This allowed us to collect a large volume of data of interest that we will share in the coming days.
The different variants are detected by Kaspersky Lab as Trojan.Win32.Jumcar and "Trojan.MSIL.Jumcar".