This malware attack uses a fake look-a-like domain that is intended to fool the user into thinking they are dealing with the genuine Santander Bank. It asks you to download a Santander bank protection module. These are targeted at
Spanish users Portugese speaking users of Santander bank
I don’t have an original email. I am assuming it starts with an email, but it could well be a txt or Facebook link or similar. Thanks to JAMESWT_MHT for the link & tip
Anyway, the site in question is https://modulosantander.online/ which was registered on 9th August 2017 using privacy protection and is currently hosted on a website using cloudflare DNS services
The website looks like
O Módulo de Proteção do Banco Santander é um software que trabalha de forma integrada ao seu navegador para reduzir os riscos com programas maliciosos que, instalados no seu computador sem seu consentimento, capturam ou solicitam seus dados de acesso ao Internet Banking.
Seu protocolo é: 2017 003 057 91.
Verificação de requisitos para o acesso Seguro.
Para iniciar é necessário verificar as configurações no computador que utilizará o Internet Banking.
Windows XP (SP3), Vista, 7, 8 e 10
Processador Intel Pentium 4 ou superior
128MB de espaço no HD
Perfil de administrador da máquina*
That translates to:
Verification of requirements for access Secure.
To start you must verify the settings on the computer that will use Internet Banking.
Windows XP (SP3), Vista, 7, 8, and 10
Intel Pentium 4 processor or higher
128MB of HD space
Machine administrator profile *
Press the start button and you get
Then you get this install screen
That downloads from https://drive.google.com/uc?export=download&id=0B2UqrQBaYy8RVnpQSlpITC0tNEU or https://doc-0s-64-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/hrdv7rk0s30i2k1uagqifh3beo65rgmm/1502366400000/01337069893318713217/*/0B2UqrQBaYy8RVnpQSlpITC0tNEU?e=download
I don’t know exactly what this file does. It is an installer for something malicious , but I don’t read
Spanish Portuguese to see from the screenshots on Payload Security.
Update: after a bit of digging around on twitter I found this tweet which explains it all & has screenshots of the malware in action. It is a Banker version of Quasar RAT
— MalwareHunterTeam (@malwrhunterteam) 10 August 2017