The directions come as a zipped text file along with the Trojan downloader with the malware hiding on the recipient’s computer behind the standard icon for an Excel file. If the downloader does not automatically open or is stopped by the recipient’s antivirus software, the directions in the readme.txt give detailed directions how to execute that malware.
Here is a summary:
- Just click to agree to everything: Double click on the extracted file. And from there, just click on “Agree” and then “Run”. For PCs with Windows 8 or the newer 10, click on “More Information” -> “Download anyway” at the standard SmartScreen warning.
- Disable or turn off your antivirus or firewall: AVs and firewalls can block all files downloaded from the internet. If there are problems, add this file to the exceptions list and try again. Or, temporarily turn off the AV or firewall until the file has been downloaded.
“They really want to be sure that the user ‘properly’ gets infected,” pointed out Oscar Anduiza, malware analyst at Avira. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”
The readme.txt file is in standard, but slightly irregular German, but does not appear to be a machine translation. This indicates that the text has been written for the German mass-market but is probably also being distributed in other languages such as English.
“This gives the cybercriminals a second chance at a successful installation, especially after the AV has blocked the initial attempt. This is an interesting social engineering trick, especially as the downloader and malware are not especially sophisticated,” added Anduiza.
If users click, they begin an “installation process” that starts with a popup of suspicious root certificate. This official-looking certificate — apparently issued by COMODO — gives the issuers unlimited permission to make changes on the system, move freely past the firewall and circumvent the already installed AV.
The malware will download a malicious file that is copied to three places in the computer. One of them is copied into the Startup folder, insuring that the malware will be executed every time the computer starts Windows.
c:\ProgramData\VCFKARJR.com
c:\Users\All Users\VCFKARJR.com
c:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif
As of March 3, the installed malware was a banking Trojan that steals credentials and financial information. However, the precise link or new variants can be added by the cybercriminals at short notice. The current banking Trojans are covered by Avira detections.
