Phishing website of the gusanito.com portal

A user notified UNAM-CERT about an email that contained an allegedly malicious attachment and an IP address on the body of the message that redirected to a malicious portal that pretended to be the popular e-card website gusanito.com. This kind of sites is known as phishing and its function is to take advantage of users, making them believe that they are navigating a legitimate website.

When clicked, the link redirected the user to a malicious site that pretended to be the known e-card service gusanito.com. As soon as the portal is displayed on the browser, it tried to download a malware hosted on the site automatically.

The phishing site to where the user gets redirected only has the main page active, so when we tried to consult any other option by selecting a tab from its menu, it returned an error 404 of page not found.

When executing the sample on our laboratory, it started a process with the same name as the “.exe” file.

It also started another process called "76393F7D8F9.exe".After some seconds, both processes terminated their execution and the malicious file automatically deleted itself from the location where it was executed, to hide its trace. In our case, it was executed on the path:

C:\Documents and Settings\User\Desktop\ver_postal_amistad.exe.

The malicious activity carried out by the sample on the Windows registry focuses mainly on changing the security settings of the Internet Explorer browser, deactivating its Anti-Phishing filter used to detect fake sites when the user visits them. It also deactivates the option that allows the user to delete the navigation history when the browser closes, keeping the passwords and the data introduced in forms.

The option PhishingFilters on the Internet Explorer browser makes use of three methods to protect the users from being scammed. First, it compares the addresses of the visited websites against the list that Microsoft has of legitimate websites. Secondly, it analyzes the visited websites to verify whether or not they contain characteristics common of the phishing websites. Thirdly, with the user’s approval, it sends some addresses of the visited websites to Microsoft, to detect new phishing sites and keep its list updated. Finally, if a website visited by the user is on the list of phishing websites reported, the browser displays a red alert; if it doesn’t appear on the list but contains suspicious characteristics, it will notify on the address bar of the browser that the site is possibly malicious.

The list of some of the domains that the malware tries to resolve is as follows:

We made a proof of concept (PoC), on which the hosts file of the infected computer was modified in such way that when the malware tried to resolve a domain, it was redirected to another computer located on the same local network with the web service active, since the connection attempts were towards the port 80.

The infected machine establishes connections to the remote host. The network activity consisted on sending a synchronization request to the target domain, waiting for the confirmation that the synchronization was done successfully, establishing a connection, terminating the connection and proceeding with the next site on the list.

When the sample was allowed to interact with the internet, its behavior remained the same: establish a connection to a website, disconnect and if a site was not active, the connection was not established and a different site was consulted. This generated load on the victim’s network, causing the network connection to slow down due to the malicious process using the bandwidth.

When consulting information about the malware on the VirusTotal website, only 10 out of 42 antivirus engines detected it as malicious. The report is shown below.

The recommendation to all users is to check periodically the configuration of all their browsers to discard changes that could leave them unprotected or that could redirect them to phishing sites using a proxy configuration.