PiceBOT crimeware hit Latin American banking

Pierluigi Paganini February 04, 2013

In the last weeks we discussed on the efficiency of exploit kits, malicious tool kits  that allow to the attackers to exploit a huge quantity of vulnerabilities in victims systems. These products are largely diffused in the underground where is possible to find different tools usable for various purpose, most precious are those kit that contains code to exploit zero day vulnerabilities.

The exploit kits are being the principal instruments for cyber criminals, recently security community has uncovered a  new cyber crimeware kit dubbed ‘PiceBOT’ sold in the underground market at the modest sum of $140.

The crimeware kit allows to the criminals to organize a botnet to steal financial information through local pharming attacks. Pharming attack redirects user to the fake page even though user enter the correct address. The term pharming is a derived from phishing and farming, the techniques usually adopted to implement the attack are DNS Poisoning and  HOSTS file Modification.

The malicious agent allows to the attacker to take complete control over the victims that could be used also to spread malware, it is just a sample of criminal activities, recently other botnets such as the vOlk (Mexico) and S.A.P.Z. (Peru) have been designed with same purpose.

The crimeware kit is diffused in Latin American where is targeting the clients of the major financial institutions, Chile, Peru, Panama, Costa Rica, Mexico, Colombia, Uruguay, Venezuela, Ecuador, Nicaragua and Argentina are countries hit by the malware.

In the following image the administration panel of the tool kit, what is singular is the authentication process to access to the admin console that is based on a single factor represented by the password.


According Kaspersky Lab, the malware named Trojan-Dropper.Win32.Injector has been detected at least in a couple of dozen variants.

The post published securlist.com describe the infection process:

“In addition, the primary propagation cycle downloads a Trojan dropper that establishes the first clandestine communication with the C2 (Command and Control Panel) botnet sending the parameters of interest to cybercriminal. Another piece of malware is then downloaded from the URL set in “url_des.txt”, and modifies the information in the hosts file via the parameters from “toma.php”.”

Latin America is considered a strategic region for criminals, the cost to arrange a cyber scam in the region is cheaper than other region such as Europe and the recent attacks have demonstrated that the return on investment (ROI) is almost immediate, “because despite the use of trivial techniques that are enhanced with visual social engineering, the infection rate using these codes is very high, mainly due to a lack of awareness among users.”

The best defense against this type of cyber threat is to keep systems up to date, adopt protection system and be aware of the phishing messages that may arrive.

Pierluigi Paganini

you might also like

leave a comment