Security researchers from Kaspersky have spotted a new variant of the Jumcar malware, a threat that’s designed to steal banking information from the users of infected devices.
According to experts, the source code of this Latin American Trojan contains insults addressed to security researchers, which suggests that the malware developers knew that their creation would be analyzed.
The latest version of Jumcar (Trojan.Win32.Fsysna) is written in .NET and it’s disguised as a harmless-looking Facebook application.
Researchers have found some debug information in the file they’ve analyzed. The sample had been uploaded to Virus Total by someone apparently named Victor. This suggests that the author himself submitted the sample to see if it would be detected by antivirus engines.
When the executable is launched, the malicious payload is delivered. First, the threat checks to see if an Internet connection is available and starts downloading additional components. Then, it retrieves a text file containing the names of the targeted banks from a server in Chile.
Once everything is in place, Jumcar monitors the websites visited by victims. When a banking website is accessed, the user is redirected to a different IP address that hosts a fake version of the site.
Up until now, most of the targeted financial organizations were from Peru. However, the latest version has been modified to include Bolivian banks as well. Experts say it’s easy for the cybercriminals to add other companies to the target list.
“It’s not very common to find malware developed in Latin America, or using .NET technology. However in recent months we have seen that the benefits of rapid code development and framework usage are tempting enough to convince cybercriminals to adopt software development best practices,” experts noted.
For additional technical details, check out Kaspersky’s blog post.