It all starts when the computer user opens the attached .zip file and executes the excel icon file inside. This kicks off an “installation process” that has the popup warning of a suspicious root certificate from the “COMODO Certification Authority” flashing by in less than a second. It’s just like the best of Dr. Who – blink and you will miss it – no additional help needed. But there is a problem with this certificate: It’s not from Comodo.
Name recognition counts
“The Comodo name is well known and just does not look suspicious on certificates,” explains Oscar Anduiza, malware analyst at Avira.
Comodo is the largest Certificate Authority(CA), one of the global “trust anchors” at the top of the “chain of trust” charged with verifying identities and levels of authorization.
But, this certificate is self-signed by the issuers – not Comodo. Self-signed certificates are equivalent to a schoolyard know-it all’s statement: “It’s good because I said so. Don’t ask questions, everything will be just fine.” The email address listed on the certificate is firstname.lastname@example.org.***. And, a root certificate is a carte blanche that empowers the issuer to do almost anything to the computer – very useful for data-stealing malware.
The spoof continues on other certificate tabs, making it appear that their certificate comes from Comodo, despite it being self-issued from someone else. “Instructions on how to do this are easily obtainable on the internet – from official and other sources,” he adds.
Just follow the directions
In case the downloader does not automatically open or is stopped by the recipient’s antivirus software, this malware comes with directions that can cure that problem. The directions come as a zipped “readme.txt” file alongside the Trojan downloader. They give computer users detailed directions how to execute that malware.
Here is a summary:
- Just click to agree to everything: Double click on the extracted file. And from there, just click on “Agree” and then “Run”. For PCs with Windows 8 or the newer 10, click on “More Information” -> “Download anyway” at the standard SmartScreen warning.
- Disable or turn off your antivirus or firewall: AVs and firewalls can block all files downloaded from the internet. If there are problems, add this file to the exceptions list and try again. Or, temporarily turn off the AV or firewall until the file has been downloaded.
“They really want to be sure that the user ‘properly’ gets infected,” says Anduiza. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”
The readme.txt file is in standard, but slightly irregular German, but does not appear to be a machine translation. This indicates that the text has been written for the German mass-market but is probably also being distributed in other languages such as English.
“This gives the cybercriminals a second chance at a successful installation, especially after the AV has blocked the initial attempt,” he points out. “This is an interesting social engineering trick, especially as the downloader and malware are not especially sophisticated.”
Start me up with malware
The malware downloads a malicious file from a compromised URL hxxp://lebensbau.de/%%/dftrxtretxetxer.exe. The file that is copied to three places in the computer, one of which is the Startup folder, insuring the malware will be executed every time the computer starts Windows.
- c:\Users\All Users\VCFKARJR.com
- c:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif
As of early March, the installed malware was a banking Trojan that steals credentials and financial information. This downloaded malware is detected by Avira as TR/Crypt.XPack.xxx by Avira.