Pierluigi Paganini August 11, 2015

Security experts at Kaspersky Lab recently observed a big wave of malicious VBE files targeting Brazilian users to distribute Financial Trojan.

Recently security experts have seen old tricks rising from the dead (like for example word/excel macros attachment in e-mails) and malicious VBE files are being spread via email targeting Brazilian users.

These VBE files end up to be downloaded by users and when opened serve a banking Trojan malware on the victim’s machine.

Talking about the attack itself, all starts with an email with a .ZIP attachment or including a link to the malicious VBE file. These emails can be related with many subjects, recently attackers are using the Windows 10 release as the subject.

The malicious file attached or downloaded is very small, normally less than 1KB. Analyzing the file, we may find it encoded and looking like this:

After decoding, it will be possible to see the real intentions of the person or group who wrote the malicious file, in the specific case we see a reference to a website:

This malware belongs to the family of Banload and looking worldwide we see Brazil, Portugal and Spain as the most targeted countries:

This is another case among many others, it is necessary to adopt mitigation techniques that can help security departments to control such kind of attacks.

The images used in this post were taken from a blog post published by the security expert Fabio SecureList post.

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as known in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as known in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – VBE file, macros)

[adrotate banner=”12″]