New Host Modifier type malware that affects banks in Latin America


On August 29, 2019, a new variety of banking Trojans affecting Latin American banks, especially Peruvian entities, reached our malware analysis systems.

It functions based on the modification of the Windows ‘hosts’ file. The ‘hosts’ file is responsible for associating domain names with IP addresses, so this malware associates the domain name of Latin American banking entities with a fraudulent IP that shows a phishing page instead of the legitimate website.

This malware's operating method is based on the modification of the Windows ‘hosts’ file, responsible for locally linking domain names with IPs. This way, the malware manages to associate the domain name of Latin American banking entities with fraudulent IPs, so that when someone tries to visit and resolve those domains, phishing pages are displayed instead of the legitimate ones.

This type of banking malware is usually known in the technical field by the name of 'Hosts Modifier', a name owed to its operating method. The type has been known for years, although recently it has been losing popularity, especially since 2016.

A search of the latest files and URLs uploaded to the VirusTotal platform revealed that during the month of August, in addition to the sample detected, two other samples of this type of banking Trojan were uploaded. Both follow the same operating method. The only variation is the control server used for downloading the fraudulent content of the ‘hosts’ file (see indicators of compromise annex).

We must go back to April 2019 to find another recent sample of 'Hosts Modifier', and on that date we find just one. Prior to that, we have to go back to November 2018 (2 samples) and mid-2017.

host-modifier-entidades-peruanas-01

 

New ‘Host Modifier’-type malware THat affects banks in Latin America

(Especially Peruvian entities)

Trojans of the Host Modifier type are usually distributed through fake SPAM emails, in which it is common for the attacker to impersonate public agencies or companies. This modus operandi is not exclusive to this malware family, as we can see that there are other families that affect Latin American entities and also use these tricks.

 

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.

Did you like it? Share in your social communities.

 

What did you think about this topic?

Leave your comments

 

Need to reduce fraud in your online banking?

Discover our holistic vision applied to online detection

Request demo