MSRT June 2015: BrobanDel

Providing further protections for our customers, this month we added three new malware families and two variants to the Microsoft Malicious Software Removal Tool (MSRT):

Gatak is a family of information-stealing malware that collects sensitive information and sends it to a remote attacker, if a system is compromised. Bagopos is another information-stealing malware family that targets credit card information stored in memory. PWS:Win32/OnLineGames.AH and PWS:Win32/OnLineGames.MV both target account user names and passwords for popular online games.

This blog takes a deeper look at BrobanDel, a family of trojans that tries to steal money by modifying the account details on Boleto Bancário - a common Brazilian payment method. In using the MSRT, systems like this one, and others, are further inoculated against such cyberthreats.

Transaction example: Boleto Bancário

Boleto Bancario is commonly used in Brazil for online purchases and payments at some government offices. Payments to Boleto can be made at common locations, such as banks, ATMs and supermarkets. To pay using this system, a seller sends the buyer a Boleto containing information such as the payment amount, expiration date, and the payment account details. The buyer pays the Boleto with the specified amount, and once the payment is confirmed, the seller ships the product.

Figure 1: Example of a Boleto. For the purposes of this example, names are fictitious.

Every Boleto has a unique identification number that can be broken down into the following:

Figure 2: Example of the various fields in a Boleto identification number

  • The "bank ID" represents the bank responsible for issuing the Boleto. One indication that a Boleto has been modified by malware is if the bank icon image on a Boleto doesn’t match the bank ID.
  • The “Nosso Numero” uniquely identifies the Boleto.
  • The “Agencia Codigo Cedente” varies depending on the bank, but usually contains information about the payment account.
  • The "expiration date" shows the last day the Boleto can be paid at various locations.  After the expiration date, Boleto can only be paid at the issuing bank.
  • The "value" represents the total amount needed to be paid for the Boleto.

The rest of the digits are used for checksum.

BrobanDel malware details

BrobanDel can manipulate Boleto identification numbers so that payments are made to the attackers’ bank account.

The trojans are usually distributed by a spam email attachment. These malicious attachments are often zipped or contain double extensions. They usually try to imitate an important document to entice users into opening them. For example, we have seen the attachments use the following file names:

  • Contrato.cpl
  • INTIMACAO-TRT-98822211.exe
  • Planilha-Pendencias.doc_________.exe
  • Visualizar_Processo_MPF_000874732666213.cpl

When the attachment is opened, it downloads two malicious components to %APPDATA%. . The first threat is detected as a variant of TrojanSpy:Win32/BrobanDel, and collects email information from a PC which could then be used by a cybercriminal to conduct  a spam email campaign. Depending on the user’s browser, a second variant, installs either a Firefox or Chrome browser extension. This second threat is detected as a variant of TrojanSpy:JS/BrobanDel if it downloads a browser extension, or TrojanSpy:Win32/BrobanDel, if the browser extension is embedded.

Figure 3: Example of BrobanDel browser extension for Firefox

The BrobanDel payload is a malicious browser extension that looks for patterns in web pages that match a Boleto. For instance, Boleto usually arrive as an HTML file. BrobanDel searches the web page for the specific pattern of a Boleto ID and, once it finds it, sends the original Boleto information such as Bank ID and payment value to its command and control (C&C) server, and requests an attacker-generated Boleto ID. This ID contains the attacker’s designated account in the “Agencia Codigo Cedente”.

Figure 4: Code responsible for contacting C&C

The original Boleto ID is then replaced by attacker-generated one.

Figure 5: Code responsible for replacing Boleto ID

The malicious extension also corrupts the barcode of the Boleto. This prevents barcode scanning and forces the user to manually type in the attacker’s Boleto ID.

When the modified Boleto bancário is used, if successful, the payment is deposited in the attacker’s bank account.

BrobanDel telemetry

As expected, Brazil has the most number of infections as BrobanDel primarily targets a Brazilian payment method.  Portugal has the second highest number of infections because of the common language. Some BrobanDel downloaders only install on PCs with Portuguese set as the default operating system language.

Figure 6: Machine and file telemetry for BrobanDel

Figure 7: The top five countries most affected by BrobanDel infections

Stay protected

Microsoft security products, such as Windows Defender for Windows 8.1, include detection for BrobanDel and other Boleto-related malware families.  An important protection is therefore to always keep your security product and other software up-to-date.

Guard against the dangers of opening suspicious emails. Do not open email attachments or links from untrusted sources. The Microsoft SmartScreen filter can also help detect spam. It’s built-in and enabled by default in Microsoft email programs.

For enterprise users:

Jeong Mun

Comments (0)

Skip to main content