New Host Modifier type malware that affects banks in Latin America

Posted by buguroo - 27/09/2019

On August 29, 2019, a new variety of banking Trojans affecting Latin American banks, especially Peruvian entities, reached our malware analysis systems.

It functions based on the modification of the Windows ‘hosts’ file. The ‘hosts’ file is responsible for associating domain names with IP addresses, so this malware associates the domain name of Latin American banking entities with a fraudulent IP that shows a phishing page instead of the legitimate website.

This malware's operating method is based on the modification of the Windows ‘hosts’ file, responsible for locally linking domain names with IPs. This way, the malware manages to associate the domain name of Latin American banking entities with fraudulent IPs, so that when someone tries to visit and resolve those domains, phishing pages are displayed instead of the legitimate ones.

This type of banking malware is usually known in the technical field by the name of 'Hosts Modifier', a name owed to its operating method. The type has been known for years, although recently it has been losing popularity, especially since 2016.

A search of the latest files and URLs uploaded to the VirusTotal platform revealed that during the month of August, in addition to the sample detected, two other samples of this type of banking Trojan were uploaded. Both follow the same operating method. The only variation is the control server used for downloading the fraudulent content of the ‘hosts’ file (see indicators of compromise annex).

We must go back to April 2019 to find another recent sample of 'Hosts Modifier', and on that date we find just one. Prior to that, we have to go back to November 2018 (2 samples) and mid-2017.



New ‘Host Modifier’-type malware THat affects banks in Latin America

(Especially Peruvian entities)

Trojans of the Host Modifier type are usually distributed through fake SPAM emails, in which it is common for the attacker to impersonate public agencies or companies. This modus operandi is not exclusive to this malware family, as we can see that there are other families that affect Latin American entities and also use these tricks.


Topics: malware



Deep Learning for Online Fraud Prevention

recent posts

Analyzing TrickBot, one of the most popular banking malwares for Windows

read more

Analysis of the GINP Android banker

read more

New version of the Cerberus banking Trojan targets Spanish and Latin American entities

read more