GMA News Online

Data-stealing malware now masquerades as Chrome installer

May 16, 2012 11:29am
Users of Google's Chrome browser may have to double-check the app's installer they download from various sites, even in Facebook and Google, a security vendor said Wednesday.

Trend Micro said the malicious file, named ChromeSetup.exe and hosted even in domains like Facebook and Google, is detected as TSPY_BANKER.EUIQ.

"Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites," Trend Micro said in a blog post.

"It also appears the attack is targeting Brazilian users and Brazilian banks," it added.

The Trend Micro blog post indicated the .exe file was hosted on domains that included,,,,, and

It said the downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains.

"What’s more noteworthy is the fact were seeing access in clients from the Latin American region, mostly in countries Brazil and Peru," it noted.

Once a user opens a targeted bank’s site, TSPY_BANKER.EUIQ intercepts the page request and displays a message tricking users into thinking that the website is loading security software.

But in reality, the malware is already redirecting users to the spoofed banking website.

The malware then opens Internet Explorer to go to the new link depending on the browser’s title.

A component of the malware, TROJ_KILSRV.EUIQ, then seeks to uninstall a software called GbPlugin, which protects Brazilian bank customers when performing online banking transactions.

"It does this through the aid of gb_catchme.exe–a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas," Trend Micro said.

On the other hand, an analysis of the Internet Protocol (IP) address to where TSPY_BANKER.EUIQ sends the infected system’s IP address and operating system name showed a panel that appears to show logs related to the attack.

"During the time the C&C (command and control) panel was analyzed, we have observed an abrupt increase on the registered logs. In fact, the phone home logs jumped from around 400 to nearly 6000 in a span of 3 hours," it said.

"These logs are comprised of 3000 unique IP addresses which translates to the number of machines infected by the malware," it added.

Banker variations

Trend Micro also noted several variations of the BANKER malware, including newer variants that can install the different components in one package.

But it also noted the malware is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware.

"Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google," it said. — LBG, GMA News
Go to comments

We welcome healthy discussions and friendly debate! Please click Flag to alert us of a comment that may be abusive or threatening. Read our full comment policy here.
Comments Powered by Disqus