Analysis on the Trojan horse of the counterfeit bank's upgrade Assistant

Overview

Recently we found a batch of Trojans disguised as online banking client upgrade assistants. Dozens of Trojans, such as the "CCB upgrade assistant", "Postal upgrade assistant", and "Ping An upgrade assistant. The structure content is basically the same, and has been improved through several versions.

Analysis of Trojan Actions 1. Apply for administrator permissions to prevent uninstallation

After clicking this button, the user first applies for administrator permissions to prevent the user from easily detaching the Trojan horse.

The related code is as follows:

2. Send activation information to the control number

Send an activation text message to the control number, prompting that the trojan is successfully activated.

The related code is as follows:

3. defrauding the user's card number, password, and other information

Counterfeit the bank interface to defraud the user's privacy information.

The network packet capture analysis shows that the information entered by the user is uploaded to the server with the IP address 142.91.113.86.

Search for the IP Address: 142.91.113.86.

The validity of the entered information is verified.

After the control server receives the entered mobile phone number, it will send a text message to control the mobile phone to send a text message with the content of "88 #88" to 95533, the purpose is to bind the accused mobile phone number to a mobile phone bank.

13178216427 is the control number, which belongs to Fujian Quanzhou Unicom

 

4. Listen and forward the user's bank Verification Code

Hackers obtain user account information and control Trojans to intercept verification text messages sent to users by banks, which can steal funds from users' bank cards and cause huge property losses.

Currently, 360 of security guards can scan and kill.