LoadPCBanker

The LoadPCBanker malware is a Banking Trojan that is suspected to be the work of Brazillian hackers. The LoadPCBanker Banking Trojan is known to focus on Brazillian PC users, and the program has not been encountered outside Brazil. The LoadPCBanker malware was discovered on April 23rd, 2019 when computer security analysts noticed unusual URL traffic from trusted Google domains. Threat actors exploited the lax security policies in the File Cabinet that is part of the Google Sites platform. The attackers created a simple site, uploaded a malware dropper in the File Cabinet and produced a URL. The File Cabinet service allows site owners to store documents and files related to their site without showing them on the created site. However, the site owners can generate links to the uploaded files.

Google Sites Exploited to Spread LoadPCBanker

That is how the LoadPCBanker team found a way to circumvent most security scanners. Exploiting the trusted status of the Google Sites domain — https://sites.google.com — the attackers succeeded in deploying a harmful file to unsuspecting users. The first attacks used URLs to a file called 'Reserva_Manoel_pdf.rar' that bears the name of a popular soccer player called Manoel Carvalho. The attackers use the name 'Manoel Carvalho' as it is recognizable among Brazilians and many people are likely to open the proposed file. The RAR archive contains what is presented as a PDF document titled 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.' If you enable Windows Explorer to show file extensions, you may notice that the full name is 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe.' In reality, the users are shown a program file, not a PDF document.

LoadPCBanker Functions as a Spyware and a Banking Trojan

The 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe.' dropper is written in Delphi programming language and delivers three files from a compromised page outside the Google Slides platform. The dropper module writes 'otlook.exe,' 'cliente.dll,' and 'libmySQL50.DLL' to a hidden folder under the AppData directory. The dropper component proceeds to delete logs in the WinINet cache regarding its transmissions and load 'otlook.exe' in the system memory. Once, loaded the process retrieves data from 'cliente.dll,' and 'libmySQL50.DLL' to begin its work. Security researchers warn that LoadPCBanker Trojan may be designed to collect banking credentials from online banking portals, but it is used as spyware primarily.

The LoadPCBanker Trojan monitors the clipboard for credit card numbers, potential passwords, crypto-coin wallet addresses, records screenshots and keyboard input. The malware is configured to download another file called 'dblog.log' from a remote Web page, which contains instructions regarding the command server. The remote command server features an SQL database that is used by the threat actors to store stolen data.

How to Detect the LoadPCBanker Trojan

PC users are unlikely to detect the LoadPCBanker Trojan with normal computer usage. However, they may receive notifications from social media services and email providers about new login locations associated with their Web accounts. Users that suspect their Web accounts may be compromised should take steps to report questionable activity to their service providers and seek to remove devices that may be used to hijack their accounts. Online support teams should help you regain control of your online identity, but you will need to run a complete system scan to remove the LoadPCBanker Trojan from your system.