New "Mousetrap" Trojan Steals Your Money by Chain Reaction

A new bank-robber Trojan, like a Mafia boss who avoids the cops by ordering heists through an intricate chain of command, sets of a series of downloads and installations to rob your bank account while dodging antivirus software.

The new Mousetrap campaign starts as Java applets injected in popular websites infect visitors. The malicious applet, Trojan.Downloader.Java.OpenConnection.BA, disguised as Adobe Flash Player, prepends the clean html files to ensure its execution along with the opening of the piggybacked html page. Once executed, the applet downloads and installs another malicious executable file on the machine of the website visitors.

The attackers likely use 0-day vulnerabilities in blogging web applications or brute-force weak administrator passwords to add their code in the header file.

The downloaded file (Trojan.Generic.KD.218227), written in Visual Basic and packed with UPX, is saved in a writeable location on the user’s machine with the name temp_flash_file.phx. It downloads and installs a banker from a list (hardcoded in the downloader) of a dozen available links that lead to different banker Trojans.

To ensure automatic launch, the banker creates a shortcut to itself in “%Start Menu%ProgramsStartup” with an empty name with “.lnk” extension. Each time the system starts, all programs with shortcuts added in that folder are automatically initiated as well – including the banker.

Once on the system, the banker updates itself by downloading newer versions from a second list of links. The updates hide out in different locations so that if one is detected, the rest can still be accessed.

Of course, these locations can also be reached directly by the malware. But not accessing them directly makes it harder for AV vendors to trace the source of the malware.

For example, once anti-virus vendors have the update list, they could trace the links, block them and add detection routines for all those files. But they would only have a list and still wouldn’t figure out the source links leading to the bankers. This would be difficult because once the Trojan downloads the banker from the first list, the Trojan automatically deletes itself, wiping any trace of its existence.

Attackers go through great lengths to put together such attacks. But making the entire process so complicated has a lot of benefits: first, they prevent law enforcement from tracing the malware to them. Second, they defend their assets – after all, writing a Banker Trojan is not that easy.

An antivirus vendor could destroy their work in a couple of seconds by adding signatures directly to their malware. Packers and update mechanisms allow them to circumvent generic signatures. And in case this still happens, they would only need to change the packer to be able to re-use the same piece of malware. Should the update locations be identified, it is still not a problem for crooks, since they haven’t hosted malware on their servers, but on compromised legit sites that can easily be replaced by other legit web locations.

The banker Trojan feeds users with a login form and asks them to fill it in. The data entered by the unwary clients is intercepted by crooks and sent to a C&C server to be later on be used in other malicious campaigns. The C&C server tells the infected computers apart by names, which act as unique identifiers.

What to do about it:

To avoid this kind of threat, install a good anti-virus solution and keep it updated at all times. Never install just any software application suggested in a pop-up, especially if you haven’t searched for it.

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.