Blog: Jumcar. From Peru with a focus on Latin America [First part]

?Jumcar? is the name we have given to a family of malicious code developed in Latin America ? particularly in Peru ? and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries

We know that in Latin America the cyber-criminal culture is expanding at great speed. This is evidenced by some of the botnets managed through crimeware developed in the region, which also have the ability to generate customized malware. The botnets we have discovered over the past two years have this capability and we have warned about them at different times. These include vOlk-Botnet, UELP, Chimba-Botnet, AlbaBotnet and PiceBOT.

However, the Jumcar family of malware has completely different characteristics and very particular components compared to those previously mentioned. They share the same goal: to steal financial information; and a common initial infection strategy: email associated with a strong visual social engineering based on false messages.

From a technical perspective, for the moment all variations of this family of malware are developed in .NET, while the usual pattern around malware developed in Latin America (excluding Brazil) is developing malicious projects in VisualBasic.

Likewise, and contrary to common patterns in Latin American malware that obfuscate part of his code through simple hexadecimal conversions, all the Jumcar variants use symmetric and asymmetric cryptographic algorithms to hide the functionality specified in the source code. For this, the malware uses the following classes: System.Security.Cryptography.TripleDES, System.Security.Cryptography.Aes y System.Security.Cryptography.RSA.

The images below highlight the difference in the malware obfuscation implemented in the most popular botnets in the region, compared to the obfuscation used by Jumcar:

Example of hexadecimal conversion in the configuration parameters of malicious code propagated through S.A.P.Z., vOlk-Botnet, PiceBOT and AlbaBotnet

Configuration parameters of the Jumcar malware encrypted with RSA

The patterns that distinguish this family of malware are:

Campaigns to spread and infect are always by email. The social engineering strategy is based on the Facebook image in the email message and in the name of the file downloaded (e.g.: facebook.exe). Also in emails supposedly issued by Peruvian banks. The size of the variants does not exceed 44kB. The icons used also concern Facebook in 80% of cases; the other 20% involve icons that hint at a mobile phone company and one percent to the native icon of programming languages .NET and VB. That is, 8 out of 10 samples used a Facebook icon image.

Icons used in the different variants of Jumcar
Once the system is infected, the malware is auto-renamed using names related to Microsoft Windows (e.g.: Windows Defender.exe). The dynamic parameters of the malware are encrypted with algorithms AES, 3DES and RSA. The first variants generated a key in the Windows registry to automate startup, but most recently this has not been the case ? only limited to a "ghost attack" through pharming. Unlike other malwares, it doesn't load a malicious process and delete itself. It will only modify the hosts file. This way, there are no malicious files on the computer, but the user will still be a victim of the phishing attack each time they visit the banking website because of the hosts file modification. The programming language used to create Jumcar is .NET without packing. The malware creates a folder and specific file, in the same folder, with XLSX or DOCX extension. All the websites used for campaigns are compromised using some vulnerability, and the attackers then uses them to store the pharming file, a mass-mailer and a backdoor. The main objective is targeting the Peruvian community.

The propagation campaigns are compatible with classical visual social engineering strategies that rely on sending fraudulent emails, using two different channels of attack:

A message purportedly issued by Facebook with the subject "Facebook Message" (or similar), with the logo of the social network, that direct traffic to file called "Mensaje_Facebook_Privado.php" (or similar), which has the necessary instructions for downloading the Jumcar variant. A message supposedly issued by a major bank in Peru that directs traffic to the clone of the website of the bank in question. This is the classic phishing attack.

Malicious message delivered by email. It is one of the spread strategies used for Jumcar

All variants of Jumcar are hosted on previously compromised websites. In other words, the attacker does not register domain names as part of the strategy of propagation.

They also implant a phishing pack used to steal information from unsuspecting users. This includes a plain text file with the configuration for the hosts file on each of the victim machines, the mass-mailer used to send large volumes of deceptive emails, and a backdoor that allows the attacker to access and upload new variants of the malware.

Jumcar has had a high impact in recent months and has been geographically focused.

Peru and Chile are the countries with the highest rate of infection through Jumcar

We analyzed over 50 samples belonging to the Jumcar family. This allowed us to collect a large volume of data of interest that we will share in the coming days.

The different variants are detected by Kaspersky Lab as ?Trojan.Win32.Jumcar? and "Trojan.MSIL.Jumcar".

Blog: Jumcar. Peruvian navy? Who could be behind it? [Third part]

We know that the family of malware called Trojan.MSIL.Jumcar and Trojan.Win32.Jumcar was developed in Peru with the primary aim of attacking Peruvian users. We also know that Chilean and Peruvian users have latterly been targeted as well. You can read more about this in our preliminary reports:

Jumcar. From Peru with focus on Latin America [First part]

Jumcar. Timeline, crypto, and specific functions [Second part]

During the initial investigation we saw a very striking series of strings from the source code of the first variants: "Armada Peruana". This is the Peruvian navy.

String "Armada Peruana" observed in decompilation of the Jumcar variant.

Initially we thought that it could be related to a hacktivist group or perhaps a government, but we discounted this possibility when we deepened our analysis and did not find a definitive and concrete proof to corroborate this first theory. The idea also didn?t fit with the main objective of the malware - to generate classic phishing attacks.

And as we proceeded with the analysis of other variants belonging to the three generations of Jumcar malware, we also considered that it could be a distraction strategy. However it is clear that the military force in question has no connection to the malware and is not the malware writers? target.

And yet, there could be still a military connection from a psychological or social perspective, because other interesting strings in the second and third generations of Jumcar suggest a certain "fanaticism", "pride" or "interest" in the military. The internal name of some variants follow the pattern of using names related to the military, such as ArmadaPeruanaV2.0.exe, Defenza.exe, Defender.exe and Estela_Maris.exe.

The first three names are very elusive. In the case of "Estela_Maris.exe", it very probably refers to the Virgin Stella Maris, also known as the Star of Sea and "protector of sailors". It is, therefore, adopted by almost all Latin American naval institutions.

Internal information of Jumcar's family variants that could refer to the military.

The following images show the build paths. You can see that there is a possibility that the malicious code was generated from a USB device. This could be to avoid leaving records in equipment, or to enable the handling of the project from any computer. This pattern is maintained in nearly all variants.

Folder name "ArmadaPeruanaV2.0" in the build path of the malware.

Folder name "ArmadaPeruanaV2.1" in the build path of the malware.

According to our records, the string "ArmadaPeruanaV2.0" appears in a variant released in May 2012. It refers to a supposed second version, which means that there is probably a first, although we don?t have any information on this variant. A month later, in June 2012, we found similar strings indicating version 2.1 of this project.

Theft of bank data

In each of the websites previously compromised by the cybercriminals, a set of utilities that facilitate the theft of banking data have been installed. Of these, the most relevant is the phishing pack which contains the settings that define how the stolen data is processed and where it is to be sent.

This information is stored in encrypted form in a text file called "Logsdb.txt". In this case, the TXT file used a complex password for the encryption process. Then this file is emailed to the address listed in the settings.

Certain parameters define the attempt to steal the information of card coordinates, limiting the amount of coordinates to 36, a maximum length of 2 (this component is an alphanumeric coordinate) and a maximum number of two attempts to request this data, which is probably to verify the information. This configuration matches the real requirements requested by the bank that is the target of the phishing strategy.

Configuration parameters in the phishing attacks
Who could be behind it?

Analysis of the phishing packs reveals multiple email addresses with the names mi.baulrlz, roshikameha and chupacuetexd. These are used to store the data of the victims and information related to the credit card numbers stolen.

For the moment we can say that in about 90% of the samples we have seen a string that refers to the "Comunidad Jumper". This is a recent partnership which recorded its first activities within the last year and about which there is not much public information.

In September 2012 this group generated a profile on Facebook and, as you can see from the next image, is inspired by a popular Latin American underground forum:

?Comunidad Jumper? in Facebook.
Conclusion

In general terms, the Latin American cybercrime scene continues to advance. In comparison with what already exists in the region, these new developments exhibit a certain level of complexity. While they don?t yet resemble development techniques from Eastern Europe, they still constitute a serious threat to the economics of LatAm users.

Peru in particular has become, after Brazil, the biggest major source of malware and crimeware development in South America. Peruvian cybercriminals also collaborate with Chilean malicious users, possibly because they share a border. The Jumcar family is proof of this.

Certainly in the future we will see Latin American communities engaged in the further development of malware for fraudulent purposes, or even for purposes specifically targeting the government and / or the military.

Blog: Jumcar. Timeline, crypto, and specific functions. [Second part]

Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.

In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.

In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.

The following diagram shows multiple instances used by the second generation of Jumcar:

Some .NET instances used by a variant of the first generation of Jumcar

A month later, in September 2012, the second generation of Jumcar began to spread, exchanging the AES encryption algorithm for TripleDES. The propagation cycle of this generation lasted until March 2013, a period of time similar to the first generation: seven months.

Unlike the first stage, the second was aimed exclusively at users in Peru (100 %). The first two generations, encrypted with AES and TripleDES respectively, share a common factor ? they both employ symmetric encryption algorithms.

In tandem with the second generation, in September 2012 the third generation began to circulate, using the RSA encryption algorithm (asymmetric). This could be because between the asymmetric algorithms RSA is more secure, and malware developers are looking to create more robust variants. This latest generation is "in the wild".

Now, the phishing attacks haven?t forgotten users in Peru, with 86% of campaigns directly targeting users in this country. Chile was removed from the attacker's plans and they subsequently modified their strategy to include users of a major bank in Costa Rica, which represents 14% of the campaign.

The following image shows the encrypted strings using AES, used to obfuscate some Jumcar configuration parameters in the first generation:

Strings encrypted with AES

By decrypting the code you can read something like this:

Decrypting AES encrypted strings

This behavior is replicated with similar features in all variants of the malware, showing four blocks that describe specific configuration actions for the Jumcar variants.

The first block describes the files that are copied, and where in the system they are copied to, following a successful infection. The second block configures the compromised websites from which to download the information to be recorded in the hosts file. The third relates to the handling of specific policies in the registry: disabling UAC (User Account Control) and trying to escalate privileges on the system. Finally, the malware adds a registry key to ensure that the malicious process will load each time you turn on or reboot the system.

Of these specific functionalities, we can highlight the two lines in the first block: Documento1.docx and calc1.xlsx.

In the first generation, the variants create a folder called ?My Documents? on the root drive ?C:? to which they copy a file called ?Documento1.docx". This contains a copy of the changed information in the hosts file. The following image shows this action:

DOCX file created by Jumcar to contain the hosts file configuration

This continued until mid-March 2013 (third generation) where, through a slight modification, the name of the folder created changed to ?My Pictures?.

Jumcar instructions for creating and manipulating files and folders

Jumcar shares other features in common with malware in general and Latin America malware in particular. However, the features we highlighted in the previous blog post, along with those described here, suggest that the distinguishing aspects of this malware family are likely to be replicated in other regional developments.

Remember that the entire family of malware is identified by Kaspersky Lab as Trojan.MSIL.Jumcar and Trojan.Win32.Jumcar. So we strongly recommend that you update your Kaspersky Lab products, especially customers in Latin America, as this part of the world is the direct target of those behind this development. However, as it also represents a potential threat to users in other regions because of possible collateral consequences, it?s always a good idea for everyone to keep their antivirus programs up to date.