Labs - Malware Analysis

New Host Modifier type malware that affects banks in Latin America

Written by buguroo | Sep 27, 2019 3:14:37 PM

On August 29, 2019, a new variety of banking Trojans affecting Latin American banks, especially Peruvian entities, reached our malware analysis systems.

It functions based on the modification of the Windows ‘hosts’ file. The ‘hosts’ file is responsible for associating domain names with IP addresses, so this malware associates the domain name of Latin American banking entities with a fraudulent IP that shows a phishing page instead of the legitimate website.

This malware's operating method is based on the modification of the Windows ‘hosts’ file, responsible for locally linking domain names with IPs. This way, the malware manages to associate the domain name of Latin American banking entities with fraudulent IPs, so that when someone tries to visit and resolve those domains, phishing pages are displayed instead of the legitimate ones.

This type of banking malware is usually known in the technical field by the name of 'Hosts Modifier', a name owed to its operating method. The type has been known for years, although recently it has been losing popularity, especially since 2016.

A search of the latest files and URLs uploaded to the VirusTotal platform revealed that during the month of August, in addition to the sample detected, two other samples of this type of banking Trojan were uploaded. Both follow the same operating method. The only variation is the control server used for downloading the fraudulent content of the ‘hosts’ file (see indicators of compromise annex).

We must go back to April 2019 to find another recent sample of 'Hosts Modifier', and on that date we find just one. Prior to that, we have to go back to November 2018 (2 samples) and mid-2017.