Pierluigi Paganini July 04, 2015

Trend Micro has identified Lordfenix, a student that created more than 100 different banking Trojans and other malicious tools, since April 2013.

Security experts at Trend Micro have identified a 20-year-old Brazilian student which has developed and distributed more than 100 Banking malware. The young cyber criminal, which used the pseudonym of ‘Lordfenix’, ‘Hacker’s Son’ and ‘Filho de Hacker’, was selling each banking trojan for around US$300 since 2013.

Trend Micro reported that the student started his activity by attending principal hacking forums, where he found the collaboration of other malware authors.

“A 20-year-old college student whose underground username is Lordfenix has become one of Brazil’s top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we’re seeing today.” Trend Micro says

Over the time Lordfenix has “grown quite confident in his skills” and incremented his business by developing custom-malware for his clients.

“Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013,” Trend Micro added. “With each Trojan costing around R$1,000 (roughly $320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture.”

Lordfenix has begun by offering free versions of fully-functional Banking Trojan source code on the underground forum, the free version was working to target customers of four Brazilian banks including Bank of Brazil, Caixa, and HSBC Brazil. The model of sale was simple as efficient, Lordfenix offered further customization of the banking trojan to target other financial institutions.

“Lordfenix has since continued to develop and sell banking Trojans, one of which we detect as TSPY_BANKER.NJH. This Trojan is able to identify when a user types any of its target banks’ URLs. Among these targets are Banco de Brasil, Caixa, and HSBC Brasil.” continues Trend Micro.

Across the time Lordfenix has improved its malware by adding further features, like protection against security products. Lordfenix’s malware is able to discover and kill the GbpSV.exe process associated with the software G-Buster Browser Defense, a security program used by many Brazilian banks to protect their customers.

Lordfenix activities confirm the efficiency of the model of sale dubbed malware-as-a-service, aside its unquestionable abilities he benefits of the following factors as explained by Trend Micro:

• Brazil has a huge online banking user base. In 2013 alone, around 51% percent of all banking transactions within the country were done via the Internet.
• Digital crime is not necessarily a top priority in Brazil. The penalties against offenders are currently very low.

Pierluigi Paganini

(Security Affairs – banking trojan, Lordfenix )