New Spy Banker Trojan Telax exploits Google Cloud Servers

Security firm Zscaler discovered a malicious campaign based on a new strain of the Spy Banker banking malware.

Security experts at Zscaler discovered a malware-based campaign relying on a new strain of Spy Banker banking malware.

Spy Banker is an old threat, it was first detected in 2009, the new variant spreads over social media, primary through Facebook, and relies on social engineering to trick users into clicking shortened Bit.ly URLs over the promise of coupons, vouchers or premium software downloads.

Zscaler experts also observed a number of victims were also compromised by drive-by downloads.

According to the researchers, the Spy Banker banking malware has been targeting Portuguese-speaking victims in Brazil.

“Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan,which is responsible for downloading and installing Spy Banker Trojan Telax.” states the post published by Zscaler.

The campaign, spotted by researchers at Zscaler, spreads primarily over social media—Facebook for the most part—and uses convincing social engineering to trick users into clicking shortened Bit.ly URLs over the promise of coupons, vouchers or premium software downloads. A number of victims were also compromised by drive-by downloads.

The use of social media platforms to spread the malware is very effective, it exploits the user’s trust of messages coming from its network of contacts.

The malicious URLs point to a server hosted on Google Cloud Servers which host the Spy Banker downloader that is dropped on the victim’s machine. The downloader then downloads the Spy Banker Trojan Telax, whose aim is to steal online banking credentials.

In sample analyzed by Zscaler, the short URL points to a PHP files that’s hosted on a Google Cloud server. The PHP file then does a 302 redirect to download the initial Spy Banker Downloader Trojan payload.

In the attack illustrated by the experts, the executable file receitanet.com is posing to be Brazil’s federal revenue online tax returns service. In other cases observed by the researchers, the crooks used different themes offering discount vouchers and fake premium software applications.

The researchers revealed that this specific short URL had been clicked more than 103,000 times, 102,000 of which come Facebook.

 

Google has already cleaned up the cloud servers involved in the malicious campaign.

“It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message,” Zscaler said.

Zscaler published a detailed analysis of the new variant of the Spy Banker Trojan Telax … enjoy it!

Pierluigi Paganini

(Security Affairs – Spy Banker Trojan, Cybercrime)