Our Mexican email addresses started receiving messages on the 19th and 20th of February that looked like standard greeting card emails.
Of course, the messages were fake. The links in the messages sent users to a completely different site – they all led to http://72.9.134.130/~rockybob/ (naturally, we’ve obscured the link).
Once the user is on this site, a specially crafted php script gets executed, which downloads a malicious file called TarjetasNico.exe from another site.
What’s interesting is that the site that downloads the Trojan states that the site has been hacked in the last 48 hours, and due to this, it might be glitchy.
The icon for the downloaded file is an exact copy of the icon used on the greetings card site:
To make sure that the user doesn’t suspect anything, the bad guys behind this have made sure that Internet Explorer will display a real card. The text is a classic of social engineering – a heart-tugging ‘final farewell’ message. It’s clearly designed to play on the sympathy of users, perhaps with the aim of getting them to forward the original message to their friends and relatives.
Once the malicious file is launched, it modifies DNS entries in the hosts file, which results in requests to the sites listed below being redirected:
banamex.com
banamex.com.mx
www.banamex.com.mx
www.bancanetempresarial.banamex.com.mx
bancanetempresarial.banamex.com.mx
www.bancanetempresarial.banamex.com
bancanetempresarial.banamex.com
boveda.banamex.com
www.boveda.banamex.com
www.boveda.banamex.com.mx
boveda.banamex.com.mx
A quick glance at the list shows that the Trojan is targeting users who bank with the Mexican Banamex bank. Any bank customers whose machines have been infected will, if they try and access the sites shown above, end up on the remote malicious user’s site. And of course, if they enter their banking details on that site – as they’ll be asked to do – their data will end up in the hands of the bad guys.
This attack is a very international affair. The original messages were sent from Holland, the phishing server is based in the US, and the recipients were either from Mexico or had some sort of connection with the country. Analysis of the malicious file itself showed that it was written in VisualBasic by someone with a good command of Spanish – perhaps even someone based in Mexico.
We started to dig deeper and came across this:
It’s the page that the bad guys use to send their messages. As the screenshot shows, this page can be used to create a message text, modify HTML, specify recipients, addresses, number of recipients, and also to send messages with attachments. A nice little tool.
At the time of writing, the sites were still up, and only 3 antivirus products were detecting this latest threat. We detect it as Trojan.Win32.Qhost.aha. As always, users should be cautious, and in this particular case, if you’re a customer of Banamex, be extremely careful not to get hooked.
Qhost vs. Banamex