IBM Trusteer’s Threat and Intelligence Group recently uncovered a Delphi source code for a popular attack vector in the Brazilian cybercrime threat landscape: the fake browser. This malicious type of software mimics the look and feel of a legitimate browser to steal login credentials from unsuspecting banking customers and is used in Latin America and Brazil, in particular. IBM Trusteer’s analysis provides a detailed under-the-hood view of the mechanics of fake browsers and how they operate.

In the example below, the fake browser is being offered for sale on the Brazilian underground for 700 Brazilian real.

Figure 1: Underground post offering the fake browser.


The Infection Process

The victim is infected by a small downloader, typically when he or she opens an email or clicks on a link that contains malware. The downloader drops a larger payload, which installs the fake browser. When the user browses to a targeted banking website, the Trojan will invoke a fake browser that mimics a legitimate browser. The fake browser displays a pop-up dialog that asks the user for his or her bank’s login credentials. Meanwhile, the user is blocked from carrying out other activities on the operating system, such as minimizing, expanding, moving or even closing the fake browser window. Also, the fake browser does not let victims access other websites. The effects are similar to that of ransomware: Victims are prevented from leaving the fake browser and are forced to finish the fake login process.

After the fake login is completed, the victim’s credentials are sent to the cybercriminal’s command-and-control server or a predefined fraudulent email account. The credentials are later used to take over the victim’s account.

Figure 2: Delphi is used widely for malware development in Brazil.

Drill Down

The source code is highly customizable and offers the following settings:

  • The payload’s file name that will be written on the disk;
  • Fraudulent email account for collecting the victim’s computer information;
  • Fraudulent email account for collecting the victim’s banking credentials;
  • Web page title strings of the targeted entities.

Figure 3: Variables definition — payload name, drop emails, targeted entities.

Since the source code is available in the Brazilian underground community, the cybercriminals can easily customize a Trojan payload name, email accounts and the desired targets within the code itself (Figure 3). In comparison, malware authors in other territories operate by selling a builder application for the generated malware.

Figure 4 demonstrates the source code for the fake browser and exposes how the attack is executed:

Figure 4: Checking for the bank’s website in the title bar.

First, the malware obtains a Handle to the active windows using the GetForegroundWindow function. The malware then obtains the window title using GetWindowText. Finally, it compares the current window title with the list of variables containing targeted banks (Figure 3) with its own implementation of the function Comp. If the function’s result does not equal zero, it will enable the fake browser session.

Basically, the malware uses Delphi code functions to initiate the fake browser attack by a given title of an active window. In the example below, the window title would be “IBM — United States — Windows Internet Explorer.”

Figure 5: Example of the Internet Explorer window title.

This malware demonstrates the ability to overcome another protection used by some banking sites where the browser’s title is obfuscated with random characters. An example of an obfuscated window title can be seen in the HTML snippets below:

Figure 6: Online banking random title protection.

Keep It Real

Over the years, IBM has seen fake browser malware being used to target Brazilian banks. These fake browsers imitate authentic Web browsers using the Bsalsa project. These types of fake browsers typically implement browser functionalities and controls, as opposed to this variant, which doesn’t implement browser capabilities, only the graphical interface of a browser.

Vigilant victims may understand they are not using their own Web browser because it may look slightly different from their original Web browser. Likewise, they will be blocked from performing any activities on their operating systems, as previously mentioned.

Figure 7: The look and feel of the fake Web browser.

Interestingly, the malware authors added a fake padlock layout, an icon used by Web browsers when notifying users that a website is using an SSL certificate. This may even trick advanced users who are attempting to confirm the reliability of their fake session.

Figure 8: Fake padlock layout.

IBM Trusteer also noticed that the malicious code uses multiple validations of the fields that are targeted during the attack. The fact that nonworking or fake credentials fail the validation process may raise the credibility of the attack.

Figure 9 shows how the malicious code validates the user’s Cadastro de Pessoas Físicas (CPF), a unique number used in Brazil to identify a person for tax purposes. In the event the CPF is false, a message box will alert victims that their CPF number is invalid. After the validation process ends, the stolen data is relayed to the cybercriminal.

In this case, the malware was designed to forward the stolen data to a fraudulent email account.

Figure 9: The code behind the fake browser forms.

To ensure a successful account takeover, the fake browser requests additional information that may help the cybercriminal if he or she is faced with authentication challenges by the bank.

The fake browser may ask for two-factor authentication information, such as the following:

  • Three numbers present on the user’s debit card;
  • Alphabetic passcode for the automatic service;
  • Release passcode that is obtained by a variety of methods, such as Post Mail, SMS or ATM receipt.

Figure 10: Additional information is requested from the victim.

In another example of a fake browser, the malware utilizes social engineering as a means to fool the victim into giving up his or her credit card information. It does so by presenting a message to the user claiming the bank is updating its clients’ security cards and, therefore, requires its users to submit their credit card information in order to activate the “new security update.”

Figure 11: Credit card information form.

The information requested from the user includes a credit card number, expiration date, CVV, debit card password and credit card password.

Fake Browser Threat

IBM Trusteer can deduce from its research that in addition to using general malware to perform credentials theft, Brazilian fraud actors have found a niche in developing fraud schemes through social engineering. This puts online banking customers who lack security solutions at risk. IBM Trusteer researchers are closely monitoring this attack vector while providing appropriate protections against this type of financial malware and many others.

This article is also based on underground research conducted by IBM Trusteer fraud analyst Rachel Zilberberg.

more from Malware

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…