IBM uncovered a banking trojan known as UnregStealer that is targeting Latin American banks while disguising itself as a Chrome browser extension. Senior threat researcher Itzhak Chimino reported that the malware deceives users into installing it by presenting fake security warnings about mandatory SSL certificate updates. The trojan operates with manual human oversight, making it nearly invisible to sandboxes and behavioral detection systems that never see the payload activate. This operational method allows UnregStealer to steal session cookies, passwords, one-time passwords, and account numbers from victims visiting targeted banking portals.
UnregStealer Disguises as SSL Certificate Update
According to Chimino, UnregStealer tricks users through fabricated security warnings. Based on the executable naming convention and delivery pattern, victims are presented with what appears to be a security warning informing them that their browser requires a mandatory SSL certificate update. The certificate is entirely fabricated, and no such browser requirement exists. It is simply a convincing cover story to get the victim to run an executable.
Malware Captures Banking Credentials Through Session Monitoring
When a user is browsing the internet, the malware runs a script that checks whether the victim is visiting one of the websites listed among the targeted banking portals. If so, the malware steals session cookies for the banking website the victim is visiting. Each time a field is clicked and information is entered, the malware captures privileged information such as passwords, one-time passwords, and account numbers.
Manual Operation Enables Detection System Evasion
Chimino explained that this trojan involves a real operator who watches each victim session live and pulls the trigger manually. This variation makes the campaign nearly invisible to sandboxes and behavioral detection systems that never see the payload activate. Once the information is captured, UnregStealer's next course of action is determined by its human operator.
IBM Identifies Potential for Expanded Targeting
According to Chimino, the UnregStealer banking malware has the capacity and potential to pose a bigger threat. The infrastructure patterns observed suggest an operator with the capability and motivation to expand targeting beyond what this investigation has confirmed.
FAQ
What is UnregStealer and how does it target victims?
UnregStealer is a banking trojan that targets Latin American banks by disguising itself as a Chrome browser extension. It deceives users into installing it through fake security warnings about mandatory SSL certificate updates, which are entirely fabricated.
How does UnregStealer evade detection systems?
The malware involves a real operator who watches each victim session live and pulls the trigger manually. This manual operation makes the campaign nearly invisible to sandboxes and behavioral detection systems that never see the payload activate.
What information does UnregStealer steal from victims?
UnregStealer steals session cookies for banking websites and captures privileged information such as passwords, one-time passwords, and account numbers each time a field is clicked and information is entered on targeted banking portals.
