January 19, 2015 By Tal Darsan 6 min read

IBM Trusteer’s Threat and Intelligence Group recently uncovered a Delphi source code for a popular attack vector in the Brazilian cybercrime threat landscape: the fake browser. This malicious type of software mimics the look and feel of a legitimate browser to steal login credentials from unsuspecting banking customers and is used in Latin America and Brazil, in particular. IBM Trusteer’s analysis provides a detailed under-the-hood view of the mechanics of fake browsers and how they operate.

In the example below, the fake browser is being offered for sale on the Brazilian underground for 700 Brazilian real.

Figure 1: Underground post offering the fake browser.

The post reads, “SUP GUYS I WILL LEAVE HERE A KL BANKER WRITTEN IN DELPHI XE3, I HAVE KL PROXY FOR SALE 100% functional on my skype.”

The Infection Process

The victim is infected by a small downloader, typically when he or she opens an email or clicks on a link that contains malware. The downloader drops a larger payload, which installs the fake browser. When the user browses to a targeted banking website, the Trojan will invoke a fake browser that mimics a legitimate browser. The fake browser displays a pop-up dialog that asks the user for his or her bank’s login credentials. Meanwhile, the user is blocked from carrying out other activities on the operating system, such as minimizing, expanding, moving or even closing the fake browser window. Also, the fake browser does not let victims access other websites. The effects are similar to that of ransomware: Victims are prevented from leaving the fake browser and are forced to finish the fake login process.

After the fake login is completed, the victim’s credentials are sent to the cybercriminal’s command-and-control server or a predefined fraudulent email account. The credentials are later used to take over the victim’s account.

Figure 2: Delphi is used widely for malware development in Brazil.

Drill Down

The source code is highly customizable and offers the following settings:

  • The payload’s file name that will be written on the disk;
  • Fraudulent email account for collecting the victim’s computer information;
  • Fraudulent email account for collecting the victim’s banking credentials;
  • Web page title strings of the targeted entities.


Figure 3: Variables definition — payload name, drop emails, targeted entities.

Since the source code is available in the Brazilian underground community, the cybercriminals can easily customize a Trojan payload name, email accounts and the desired targets within the code itself (Figure 3). In comparison, malware authors in other territories operate by selling a builder application for the generated malware.

Figure 4 demonstrates the source code for the fake browser and exposes how the attack is executed:

Figure 4: Checking for the bank’s website in the title bar.

First, the malware obtains a Handle to the active windows using the GetForegroundWindow function. The malware then obtains the window title using GetWindowText. Finally, it compares the current window title with the list of variables containing targeted banks (Figure 3) with its own implementation of the function Comp. If the function’s result does not equal zero, it will enable the fake browser session.

Basically, the malware uses Delphi code functions to initiate the fake browser attack by a given title of an active window. In the example below, the window title would be “IBM — United States — Windows Internet Explorer.”

Figure 5: Example of the Internet Explorer window title.

This malware demonstrates the ability to overcome another protection used by some banking sites where the browser’s title is obfuscated with random characters. An example of an obfuscated window title can be seen in the HTML snippets below:


Figure 6: Online banking random title protection.

Keep It Real

Over the years, IBM has seen fake browser malware being used to target Brazilian banks. These fake browsers imitate authentic Web browsers using the Bsalsa project. These types of fake browsers typically implement browser functionalities and controls, as opposed to this variant, which doesn’t implement browser capabilities, only the graphical interface of a browser.

Vigilant victims may understand they are not using their own Web browser because it may look slightly different from their original Web browser. Likewise, they will be blocked from performing any activities on their operating systems, as previously mentioned.


Figure 7: The look and feel of the fake Web browser.

Interestingly, the malware authors added a fake padlock layout, an icon used by Web browsers when notifying users that a website is using an SSL certificate. This may even trick advanced users who are attempting to confirm the reliability of their fake session.

Figure 8: Fake padlock layout.

IBM Trusteer also noticed that the malicious code uses multiple validations of the fields that are targeted during the attack. The fact that nonworking or fake credentials fail the validation process may raise the credibility of the attack.

Figure 9 shows how the malicious code validates the user’s Cadastro de Pessoas Físicas (CPF), a unique number used in Brazil to identify a person for tax purposes. In the event the CPF is false, a message box will alert victims that their CPF number is invalid. After the validation process ends, the stolen data is relayed to the cybercriminal.

In this case, the malware was designed to forward the stolen data to a fraudulent email account.


Figure 9: The code behind the fake browser forms.

To ensure a successful account takeover, the fake browser requests additional information that may help the cybercriminal if he or she is faced with authentication challenges by the bank.

The fake browser may ask for two-factor authentication information, such as the following:

  • Three numbers present on the user’s debit card;
  • Alphabetic passcode for the automatic service;
  • Release passcode that is obtained by a variety of methods, such as Post Mail, SMS or ATM receipt.


Figure 10: Additional information is requested from the victim.

In another example of a fake browser, the malware utilizes social engineering as a means to fool the victim into giving up his or her credit card information. It does so by presenting a message to the user claiming the bank is updating its clients’ security cards and, therefore, requires its users to submit their credit card information in order to activate the “new security update.”

Figure 11: Credit card information form.

The information requested from the user includes a credit card number, expiration date, CVV, debit card password and credit card password.

Fake Browser Threat

IBM Trusteer can deduce from its research that in addition to using general malware to perform credentials theft, Brazilian fraud actors have found a niche in developing fraud schemes through social engineering. This puts online banking customers who lack security solutions at risk. IBM Trusteer researchers are closely monitoring this attack vector while providing appropriate protections against this type of financial malware and many others.

This article is also based on underground research conducted by IBM Trusteer fraud analyst Rachel Zilberberg.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today