Arbor Networks security researchers have recently noticed an emerging banking trojan, named ‘Matrix Banker’, which is currently attacking banks in Latin America. According to the malware experts, most of the trojan victims were located in Mexico and Perù. However, it seems that the malicious code of the virus is still under development.
“Initially, we’ve called it “Matrix Banker” based on its command and control (C2) login panel, but it seems that “Matrix Admin” is a template available for the Bootstrap web framework. Proofpoint calls it “Win32/RediModiUpd” based on a debugging string from an earlier sample.” Arbor Networks says.
The Matrix Banker initial loader gains persistence via Registry Run, then the virus extracts and injects a DLL into the most popular web browsers, such as Internet Explorer, Firefox, Chrome, and Edge. Being injected into a browser, the main DLL steals the browser’s functions and runs a Man-In-the-Browser attack.
“Once the main DLL is injected in a browser, it starts by hooking the appropriate browser functions (e.g. PR_Read and PR_Write for Firefox) to setup a “man-in-the-browser” (MitB).” the report states. “It then phones home to its C2 server to get the webinject config. The request looks like this:”
Image Source: www.securityaffairs.co
After that, the Matrix Banker Trojan connects to the C&C server in order to get the webinject config.
What is interesting about Matrix Banker though, is the fact that this is the first malware, which is capable of encoding and encrypting the response from the C&C server with the so called “Salsa20” crypto algorithm.
Salsa20 is an unpatented stream cipher developed by Daniel Bernstein, and used by Petya ransomware to encrypt victims’ Master File Table.
“While functional, the webinject format looks to be under construction.” state the report. “Earlier samples use a different, simpler format and there is plenty of work to do to catch up with the industry standard Zeus webinjects.”
According to the security experts, the virus uses a very difficult but effective redirection to a phishing page, which is a perfect copy of the targeted banks’ login page.”
The experts think that currently, it is impossible to predict the impact of the trojan on a long term basis, but it is certain that Matrix Banker is actively being developed for attacking financial institutions.