New Spy Banking Trojan Telax Found By Security Firm Zscaler

New Spy Banking Trojan Telax Found By Security Firm Zscaler.

The attackers are using campaign through social engineering tactics such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus.

And the strange thing that its hosted on Google Cloud server. When users click on malicious link its target to steal banking details.

Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan,which is responsible for downloading and installing Spy Banker Trojan Telax.” states the post published by Zscaler.

How the attack works?

The attack starts with a shortened URL posted on a social networking site or via drive by download from malicious sites posing to offer premium software or coupons. Below is a recent attack chain where the user clicked on a link shared via Facebook that lead to the download of Telax payload.

The file hosted on Google Cloud Server which allows to download the initial Spy Banker Downloader Trojan Payload.

Spy Banker Trojan Telax analysis

The initial file that gets downloaded is the Spy Banker Downloader Trojan. The Downloader Trojan is responsible for downloading & executing the final payload from a list of predetermined URLs as seen below:

The final payload, Spy Banker Trojan Telax, is a Delphi executable that is capable of stealing Banking credentials targeting Portuguese users. Upon execution, Telax injects malicious code into legitimate Visual Basic Compiler (vbc.exe) process. The injected code first checks for the presence of virtual environment like VMWare, Virtual Box, Wine and Virtual PC on the target system.

Telax executable contains following additional files embedded in it's resource section:

• SQLLite.dll - legitimate SQL Lite binary
• 32-bit rootkit component
• 64-bit rootkit component
• 64-bit copy of itself

Depending on the bit-ness of the target operating system, Telax will register the appropriate rootkit driver:

HKLM\SYSTEM\CurrentControlSet\Services\hookmgr\ImagePath: "<User>\<CurrentLocation>\hookmgr.sys"

Google Removed the malicious link:
“It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message,” Zscaler said.

Geographic View:

As you can see in screenshot Spy Banker Telax Banking Trojan more targeted in Brazil.  More than 100,000+ users clicked on shorten malicious URL.

Source: ZScaler