During the last hours we have detected spam messages containing fake news about the Brazilian football player Neymar da Silva Santos, actually playing at F.C. Barcelona. Neymar has been in the media during the last days for a number of reasons: one due to certain irregularities when he signed up for F.C. Barcelona, and in fact this has had already some serious consequences, such as the resignation of the president of F.C. Barcelona. The other hot topic has been the supposed break up with his Brazilian model girlfriend, Bruna Marquezine, although both of them have claimed that it is not true.
This last topic is the one used as bait, as the fraudulent email message has the following subject: “Mostra tudo Video intimo de Neymar e Bruna Marquezine!!” (private video of Neymar and Bruna Marquezine showing all!!) and it contains a link to download the video. The downloaded file name is Video_Intimo.zip, once opened it contains a file called Video_Intimo.cpl.
When run, this file tries to open a web site that says that it is under maintenance anf the video cannot be played. Meanwhile in the background it is connecting to different URLs to download and install malware. So far the downloaded malware is a banking Trojan designed to steal credentials from Brazilian banks’ customers.
Two different files are downloaded, it is also created a registry entry to ensure it is executed every time the computer is started. To go unnoticed this entry uses the name “GForce Update Monitor” and malware copies itseld with a random name inside a folder called GForceCmp. GForce has been chosen as it is a reference to the well known graphic cards from Nvidia, and due to this many users can recognize the name and think it is harmless. However, far from that it is able to capture everything we type in the computer and also takes screenshots when we are using Internet Explorer.
All this malware is detected as Trj/Banker.LDW.