Brazilian banking threatened by a malware embedded inside RTF file

The clients of the Brazilian financial institutions have been hit by a banking trojan embedded in RTF file and spread through a spam campaign.

The banking is one of the most targeted sector by cybercrime that exploit always new vector to infect a customer’s machine of the clients of banks.

I decided to write this post to alert banks’ customers and to avoid large scale infection, the malicious campaign is started in Brazil where many clients of financial institutions have received via mail an .rtf file that hide an ugly surprise.

Kaspersky security experts have spotted a spam mail campaign against the customers of Brazilian banks characterized by an interesting trick to infect recipients.

Almost every malicious spam campaign that targeted in the past banking institutions carried executable file masquerades as a pdf file or exploited known vulnerabilities in the browser with specifically crafted file.

The campaign that targeted Brazilian users carries “Comprovante_Internet_Banking.rtf”(“Receipt from Internet Banking.rtf) file as attachment, when the victim opens the RTF file, the document shows an image thumbnail with a message

“Click to see in a larger size”.

Clicking an image thumbnail in a rtf file user will be presented with a message saying a CPL file is about to be executed, in reality it is the malware Trojan.Win32.ChePro detected by the Kaspersky experts.

The banking malware that hit Brazilian banks seems to have Indian origin, the choice of .RTF file format as the attack is not casual, it allows to embed a file objects, including executable file. The cybercriminals behind the spam campaign against Brazilian banking have exploited this feature to embed the malware file in the document.Why Brazil?

Brazil is the biggest country in Latin America with a population of approximately 200 million people and a high Internet penetration, Mobile penetration is upward of 132% (2012) and still growing by about 7% annually.

“Brazil’s highly stratified social structure often means that those on a low income are drawn into illegal activity, including writing malicious programs designed to steal data belonging to bank customers. The fact that online banking systems are widely used in Brazil makes this type of criminal activity all the more attractive. Additionally, the country does not have legislation which effectively combats cybercrime.

Between them, Brazil’s biggest banks have millions of online banking customers. For instance, Banco do Brasil has 7.9 million online customers, Bradesco has 6.9 million, Itaú has 4.2 million and Caixa has 3.69 million. These numbers are high enough to motivate the criminals: even if the percentage of successful attacks is small, the profits can still be impressive.” stated an old, but actually, report of Kaspersky.

Banking users … You are advised!

Pierluigi Paganini

(Security Affairs – Banking, malware)