New Host Modifier type malware that affects banks in Latin America


On August 29, 2019, a new variety of banking Trojans affecting Latin American banks, especially Peruvian entities, reached our malware analysis systems.

It functions based on the modification of the Windows ‘hosts’ file. The ‘hosts’ file is responsible for associating domain names with IP addresses, so this malware associates the domain name of Latin American banking entities with a fraudulent IP that shows a phishing page instead of the legitimate website.

This malware's operating method is based on the modification of the Windows ‘hosts’ file, responsible for locally linking domain names with IPs. This way, the malware manages to associate the domain name of Latin American banking entities with fraudulent IPs, so that when someone tries to visit and resolve those domains, phishing pages are displayed instead of the legitimate ones.

This type of banking malware is usually known in the technical field by the name of 'Hosts Modifier', a name owed to its operating method. The type has been known for years, although recently it has been losing popularity, especially since 2016.

A search of the latest files and URLs uploaded to the VirusTotal platform revealed that during the month of August, in addition to the sample detected, two other samples of this type of banking Trojan were uploaded. Both follow the same operating method. The only variation is the control server used for downloading the fraudulent content of the ‘hosts’ file (see indicators of compromise annex).

We must go back to April 2019 to find another recent sample of 'Hosts Modifier', and on that date we find just one. Prior to that, we have to go back to November 2018 (2 samples) and mid-2017.

host-modifier-entidades-peruanas-01

 

New ‘Host Modifier’-type malware THat affects banks in Latin America

(Especially Peruvian entities)

Trojans of the Host Modifier type are usually distributed through fake SPAM emails, in which it is common for the attacker to impersonate public agencies or companies. This modus operandi is not exclusive to this malware family, as we can see that there are other families that affect Latin American entities and also use these tricks.

 

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.

MALWARE PROTECTION AND ALERTING

MALWARE PROTECTION AND ALERTING

buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.

LEARN HOW BUGUROO SOLVE IT

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities.