Matrix Banking Trojan Takes the Red Pill, Targets Mexico and Peru Financial Institutions
There's a new banking malware out in the wild. Proofpoint researchers call it RediModiUpd while experts from Arbor Networks have picked a much easier to pronounce name – Matrix. At the moment, it targets clients of financial institutions in Mexico and Peru, which means that many of you might be tempted to ignore the threat. Ignoring the threat isn't such a good idea.
Although it's fully functional, and although victims are already redirected to it (most likely by malicious links), Matrix is still under development. At this point, the experts can't be sure how big it's going to be once the threat actors are done with it. There are no statistics on how much damage it's caused, either. The researchers were able to analyze a couple of samples, though, and they told us what Matrix can do once it finds itself on a victim computer.
A special loader is responsible for the first stage of infection. Once deployed, it creates a mutex and modifies the registry in order to achieve persistence. Then, it extracts main_32.dll and main_64.dll from its resources. Depending on the system architecture (x86 or x64), it picks the appropriate library and injects it into the process of the victim's browser.
The DLL hooks up to a couple of the browser's functions which creates a man-in-the-browser setup. Then, Matrix calls the Command and Control server (C&C) and downloads the all-important webinject configuration files. All the responses from the C&C are hex encoded and encrypted using Salsa20, and unscrambling the data is done with the help of a simple Python script. The experts analyzed the webinjects carefully and concluded that they are most likely still in development. They do work, though.
The injected HTML and JavaScript code senses when the victims navigate to a website of one of the targeted financial institutions and automatically redirects them to phishing pages hosted on linea[dot]com. Not surprisingly, the fake pages look exactly the same as the banks' login forms.
There's nothing too groundbreaking about the new Matrix Trojan. The trouble is, a malware family's success isn't always decided by how sophisticated its features are, which means that the threat should not be underestimated.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.