A new malicious application tries to disguise itself as the Google Chrome browser to fool victims into entering their payment card details. The app is still active at the time of writing and sends collected user details to an AOL email address.
Discovered today by MalwareHunter, this application goes above and beyond of what other card stealers have attempted, most of which are half-baked efforts, often easy to recognize as malicious applications thanks to their quirky graphics and misaligned designs.
This app, named "Betaling - Google Chrome.exe", tries to pass as the Google Chrome browser and does a good job at it. Betaling ("Payment" in Dutch) uses the standard Chrome icon and window layout, complete with an address bar, and even an HTTPS lock icon to trick users they're on a real website.
Betaling isn't a perfect Google Chrome, though, as there are a few clues that experienced users can spot.
For starters, the malicious app requires users to have installed a minimum version of .NET Framework 4.0 or higher, a requirement the real Google Chrome never had.
Second, the app also uses the standard Windows 8/8.1/10 Metro style, even when running on a Windows 7 PC.
Third, while Betaling tries to trick users into thinking it's the real Chrome, outside of the lock icon and the address bar, the rest of the Chrome UI is missing, such as the tab bar, the menu, Chrome buttons, and others.
Last but not least, only the close button works. Users can't resize the window, can't minimize it, can't make it fullscreen, can't drag it, and can't enter a new URL.
Nevertheless, much less sophisticated malware has been able to infect hundreds or thousands of users in the past, which means Betaling and its UI can be quite effective.
Several security researchers who've taken a look at Betaling were impressed by its carefully crafted design. Non-infosec people thought Betaling was a phishing page loaded inside a Chrome browser, and only some time later realized they weren't looking at a Chrome window to begin with.
Currently, Betaling's interface is only available in Dutch, which reveals the malware's current target.
The form displayed inside the fake Chrome window isn't blind to user input like most phishing pages, and some data validation takes place, yielding two sorts of errors.
If correct the data is entered, Betaling collects all information and sends it to an AOL email address at firstname.lastname@example.org.
This email address was discovered when security researchers analyzed the application's source code. Accessing its inbox, they've discovered recent logs, including the test data entered during Bleeping Computer's tests, meaning the app works just fine.
Besides recent logs from Betaling, researchers also found logs from an unidentified keylogger. These logs went back as far as January 2016 and included details from victims from all over the world.
"It's been long since he got any [keylogger] logs," said a security researcher that goes by the name of Guido, who also analyzed the malware.
Guido, who already reported the malware to authorities, says the initial entries for the keylogger logs contained a series of recurring email addresses. Common sense dictates these are the author's own emails, which he used for testing, during the keylogger's development and subsequent rollout.
These two emails, email@example.com and firstname.lastname@example.org, are also linked to accounts on the Spokeo social network.
Furthermore, Betaling's PDB file includes a compilation path of "C:\Users\Patrick\", and the Betaling EXE file is also self-signed by an invalid certificate authority named "CN = DESKTOP-PC\Patrick".
Both mentions of the "Patrick" name are consistent with the two email addresses found in the keylogger's first log entries. It's now up to authorities to investigate and determine if the owner of the two email addresses is behind Betaling or not.
Furthermore, Guido told Bleeping Computer that in August 2016, "Patrick" sent an email from the AOL account to email@example.com asking for help with a "stealer" that was having several bugs. It's currently unknown if he was referring to Betaling in its early stages of development, or a different stealer altogether.
SHA256 hash (VirusTotal link): 42e2b2e17ff85fc1a399e712a488c1ed35af3b7b8b061bdde86ec4732138254c