Peru, Colombia and Venezuela are the most affected by ...

Peru, Colombia and Venezuela are the most affected by …

February 19, 2014

DOCU_GRUPOThinking about cybercriminals who attack famous people, athletes or entire companies can lead us to paranoia, to think that at any moment we can be victims of an attack and worry about others. There are threats that are capable of recording what we say, filming us with the webcam and seeing which sites we visit, when and with which browser. This is a reality, but it is far from being an epidemic.

The ESET Laboratory detected one that only spread through Latin America. It is a variant of Python / Agent.A, a malicious code that has different functionalities: invade the user’s privacy, access their information and even see and listen to what is happening around the system. According to statistical information from ESET Live Grid, the analyzed variant of this particular malicious code was seen in Peru (66%), Colombia (22%) and Venezuela (12%), but other versions of this same family were seen in Ecuador and Nicaragua.

The threat Python / Agent.A variant was reported to ESET labs under the name Javafds.exe and, upon analysis of its behavior, it was found that it simulates being part of a JAVA update but will actually collect user information and much more.

What appeared to be an update of an application is a self-extracting compressed file. By tricking the user into double-clicking it, it will create a folder in the temporary system files (% TEMP% RarSFX0) and then run the threat’s installation routines and start running.

Once the threat is executed, it will attempt to record information with the camera, activate the microphones, and capture information from the user’s screen. This file is read by the different threat modules, but nothing happens until the files have been decompressed and Javafds.exe tries to execute the javaTM.exe file through a call to the function.

The second process that is launched in the system is in charge of correctly configuring the threat. This creates the folders in which the information is saved, generates an entry to be executed at each system startup and hides the files. In addition, a scheduled task is created so that the same operating system automatically, once an hour, takes care of rerunning one of the main modules (javaH.exe) that will trigger the java.exe process The process that is executed with the name java.exe is the main part of this threat. Among its functionalities is the contact with the C&C to receive orders, the execution of the video, camera and audio capture modules, the registration of user activities in the Log.htm file, the download of new modules and functionalities, a list of system information, files on disk, and network settings.

Once this process begins to run, the threat is 100% active and is capable of collecting all the information on the system without the user noticing. All the information that the user writes on the sites they visit, the programs they open or any other data, is recorded in this log, making it possible for the cybercriminal to steal users and passwords for each service visited. In addition, within the threat directory, in the “Encryp” folder there are three files. The first and last are two SQLite databases that hold the information and the media file that contains system information.

Among the information that is stored, there are the tables and in particular one that will store any information related to credit cards that the user enters. The other file keeps a record of the URLs, which works in conjunction with this base to know the actions that the user performs. The site to which the information is connected and sent is hosted in Colombia, but it was blocked by ESET solutions to protect users and is currently decommissioned to deactivate the threat as a proactive measure for the rest of the users. .

Finally, when the right time comes, the cybercriminal will be able to recover all the information through an encrypted communication, preventing the user from realizing that they are spying on him and stealing his information. Faced with this type of situation, we must not despair, these threats exist but following good security practices, the chances of exposing ourselves to this type of risk decrease considerably. In addition, proactive security solutions such as those from ESET detect and prevent these threats from accessing our data.

[+] Videos de nuestro canal de YouTube