During the initial investigation we saw a very striking series of strings from the source code of the first variants: “Armada Peruana“. This is the Peruvian navy.
String “Armada Peruana” observed in decompilation of the Jumcar variant.
Initially we thought that it could be related to a hacktivist group or perhaps a government, but we discounted this possibility when we deepened our analysis and did not find a definitive and concrete proof to corroborate this first theory. The idea also didn’t fit with the main objective of the malware – to generate classic phishing attacks.
And as we proceeded with the analysis of other variants belonging to the three generations of Jumcar malware, we also considered that it could be a distraction strategy. However it is clear that the military force in question has no connection to the malware and is not the malware writers’ target.
And yet, there could be still a military connection from a psychological or social perspective, because other interesting strings in the second and third generations of Jumcar suggest a certain “fanaticism”, “pride” or “interest” in the military. The internal name of some variants follow the pattern of using names related to the military, such as ArmadaPeruanaV2.0.exe, Defenza.exe, Defender.exe and Estela_Maris.exe.
The first three names are very elusive. In the case of “Estela_Maris.exe“, it very probably refers to the Virgin Stella Maris, also known as the Star of Sea and “protector of sailors”. It is, therefore, adopted by almost all Latin American naval institutions.
Internal information of Jumcar’s family variants that could refer to the military.
The following images show the build paths. You can see that there is a possibility that the malicious code was generated from a USB device. This could be to avoid leaving records in equipment, or to enable the handling of the project from any computer. This pattern is maintained in nearly all variants.
Folder name “ArmadaPeruanaV2.0” in the build path of the malware.
Folder name “ArmadaPeruanaV2.1” in the build path of the malware.
According to our records, the string “ArmadaPeruanaV2.0” appears in a variant released in May 2012. It refers to a supposed second version, which means that there is probably a first, although we don’t have any information on this variant. A month later, in June 2012, we found similar strings indicating version 2.1 of this project.
Theft of bank data
In each of the websites previously compromised by the cybercriminals, a set of utilities that facilitate the theft of banking data have been installed. Of these, the most relevant is the phishing pack which contains the settings that define how the stolen data is processed and where it is to be sent.
This information is stored in encrypted form in a text file called “Logsdb.txt“. In this case, the TXT file used a complex password for the encryption process. Then this file is emailed to the address listed in the settings.
Certain parameters define the attempt to steal the information of card coordinates, limiting the amount of coordinates to 36, a maximum length of 2 (this component is an alphanumeric coordinate) and a maximum number of two attempts to request this data, which is probably to verify the information. This configuration matches the real requirements requested by the bank that is the target of the phishing strategy.
Configuration parameters in the phishing attacks
Who could be behind it?
Analysis of the phishing packs reveals multiple email addresses with the names mi.baulrlz, roshikameha and chupacuetexd. These are used to store the data of the victims and information related to the credit card numbers stolen.
For the moment we can say that in about 90% of the samples we have seen a string that refers to the “Comunidad Jumper“. This is a recent partnership which recorded its first activities within the last year and about which there is not much public information.
In September 2012 this group generated a profile on Facebook and, as you can see from the next image, is inspired by a popular Latin American underground forum:
“Comunidad Jumper” in Facebook.
In general terms, the Latin American cybercrime scene continues to advance. In comparison with what already exists in the region, these new developments exhibit a certain level of complexity. While they don’t yet resemble development techniques from Eastern Europe, they still constitute a serious threat to the economics of LatAm users.
Peru in particular has become, after Brazil, the biggest major source of malware and crimeware development in South America. Peruvian cybercriminals also collaborate with Chilean malicious users, possibly because they share a border. The Jumcar family is proof of this.
Certainly in the future we will see Latin American communities engaged in the further development of malware for fraudulent purposes, or even for purposes specifically targeting the government and / or the military.