IBM Trusteer’s Threat and Intelligence Group recently uncovered a Delphi source code for a popular attack vector in the Brazilian cybercrime threat landscape: the fake browser. This malicious type of software mimics the look and feel of a legitimate browser to steal login credentials from unsuspecting banking customers and is used in Latin America and Brazil, in particular. IBM Trusteer’s analysis provides a detailed under-the-hood view of the mechanics of fake browsers and how they operate.

In the example below, the fake browser is being offered for sale on the Brazilian underground for 700 Brazilian real.

Figure 1: Underground post offering the fake browser.


The Infection Process

The victim is infected by a small downloader, typically when he or she opens an email or clicks on a link that contains malware. The downloader drops a larger payload, which installs the fake browser. When the user browses to a targeted banking website, the Trojan will invoke a fake browser that mimics a legitimate browser. The fake browser displays a pop-up dialog that asks the user for his or her bank’s login credentials. Meanwhile, the user is blocked from carrying out other activities on the operating system, such as minimizing, expanding, moving or even closing the fake browser window. Also, the fake browser does not let victims access other websites. The effects are similar to that of ransomware: Victims are prevented from leaving the fake browser and are forced to finish the fake login process.

After the fake login is completed, the victim’s credentials are sent to the cybercriminal’s command-and-control server or a predefined fraudulent email account. The credentials are later used to take over the victim’s account.

Figure 2: Delphi is used widely for malware development in Brazil.

Drill Down

The source code is highly customizable and offers the following settings:

  • The payload’s file name that will be written on the disk;
  • Fraudulent email account for collecting the victim’s computer information;
  • Fraudulent email account for collecting the victim’s banking credentials;
  • Web page title strings of the targeted entities.

Figure 3: Variables definition — payload name, drop emails, targeted entities.

Since the source code is available in the Brazilian underground community, the cybercriminals can easily customize a Trojan payload name, email accounts and the desired targets within the code itself (Figure 3). In comparison, malware authors in other territories operate by selling a builder application for the generated malware.

Figure 4 demonstrates the source code for the fake browser and exposes how the attack is executed:

Figure 4: Checking for the bank’s website in the title bar.

First, the malware obtains a Handle to the active windows using the GetForegroundWindow function. The malware then obtains the window title using GetWindowText. Finally, it compares the current window title with the list of variables containing targeted banks (Figure 3) with its own implementation of the function Comp. If the function’s result does not equal zero, it will enable the fake browser session.

Basically, the malware uses Delphi code functions to initiate the fake browser attack by a given title of an active window. In the example below, the window title would be “IBM — United States — Windows Internet Explorer.”

Figure 5: Example of the Internet Explorer window title.

This malware demonstrates the ability to overcome another protection used by some banking sites where the browser’s title is obfuscated with random characters. An example of an obfuscated window title can be seen in the HTML snippets below:

Figure 6: Online banking random title protection.

Keep It Real

Over the years, IBM has seen fake browser malware being used to target Brazilian banks. These fake browsers imitate authentic Web browsers using the Bsalsa project. These types of fake browsers typically implement browser functionalities and controls, as opposed to this variant, which doesn’t implement browser capabilities, only the graphical interface of a browser.

Vigilant victims may understand they are not using their own Web browser because it may look slightly different from their original Web browser. Likewise, they will be blocked from performing any activities on their operating systems, as previously mentioned.

Figure 7: The look and feel of the fake Web browser.

Interestingly, the malware authors added a fake padlock layout, an icon used by Web browsers when notifying users that a website is using an SSL certificate. This may even trick advanced users who are attempting to confirm the reliability of their fake session.

Figure 8: Fake padlock layout.

IBM Trusteer also noticed that the malicious code uses multiple validations of the fields that are targeted during the attack. The fact that nonworking or fake credentials fail the validation process may raise the credibility of the attack.

Figure 9 shows how the malicious code validates the user’s Cadastro de Pessoas Físicas (CPF), a unique number used in Brazil to identify a person for tax purposes. In the event the CPF is false, a message box will alert victims that their CPF number is invalid. After the validation process ends, the stolen data is relayed to the cybercriminal.

In this case, the malware was designed to forward the stolen data to a fraudulent email account.

Figure 9: The code behind the fake browser forms.

To ensure a successful account takeover, the fake browser requests additional information that may help the cybercriminal if he or she is faced with authentication challenges by the bank.

The fake browser may ask for two-factor authentication information, such as the following:

  • Three numbers present on the user’s debit card;
  • Alphabetic passcode for the automatic service;
  • Release passcode that is obtained by a variety of methods, such as Post Mail, SMS or ATM receipt.

Figure 10: Additional information is requested from the victim.

In another example of a fake browser, the malware utilizes social engineering as a means to fool the victim into giving up his or her credit card information. It does so by presenting a message to the user claiming the bank is updating its clients’ security cards and, therefore, requires its users to submit their credit card information in order to activate the “new security update.”

Figure 11: Credit card information form.

The information requested from the user includes a credit card number, expiration date, CVV, debit card password and credit card password.

Fake Browser Threat

IBM Trusteer can deduce from its research that in addition to using general malware to perform credentials theft, Brazilian fraud actors have found a niche in developing fraud schemes through social engineering. This puts online banking customers who lack security solutions at risk. IBM Trusteer researchers are closely monitoring this attack vector while providing appropriate protections against this type of financial malware and many others.

This article is also based on underground research conducted by IBM Trusteer fraud analyst Rachel Zilberberg.

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read