Foreword: a 20 year old college student, develops each net silver Trojan to sell in the black market price exceeds 300 US dollars, 2 years time sought a large amount of ill-gotten wealth. Sound crazy? He is the biggest malware maker in Brazil, Lordfenix.

Lordfenix who is it?

Lordfenix is a 20-year-old computer science student from Tocantins, Brazil. We were able to trace his activities back to April 2013. At that time, he posted on a forum, asking other programmers to help him co-create the online banking Trojan horse.

! [](https://upload-images.jianshu.io/upload_images/24762785-480d1a33342488a4.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

See Figure 1. Forum post by Lordfenix, then Filho de Hakcer

Based on the photos he posted on Facebook in September 2013, it fully shows that he is very successful in his works.

! [](https://upload-images.jianshu.io/upload_images/24762785-44d9c879218e9c00.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

Figure 2. Lordfenix boasted in a Facebook post about the success of his Trojan and the fact that it was already paying off

Stealing user information through a fake browser

Lordfenix continued to develop and sell online banking Trojan horse. AsTSPY_BANKER.NJH that we found and tested is one of the online banking Trojan horse that he made. When a user opens the URL of any bank, the Trojan can target the url, including Banco de Brasil, Caixabank, and HSBC.

The Trojan can close a Window running in Google Chrome, display an error message, and reopen a fake Chrome window after locking the target. Since the browser’s Windows are essentially seamless, the entire process of running the program is negligible. If the user is using Internet Explorer or Firefox, the original window is still open, but it still displays an error message and a fake browser window pops up.

! [](https://upload-images.jianshu.io/upload_images/24762785-fffdd8ddf7936825.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

In figure 3. Bogus browser window

! [](https://upload-images.jianshu.io/upload_images/24762785-6b841becdef989f7.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

Figure 4. Fake Brazilian HSBC website

! [](https://upload-images.jianshu.io/upload_images/24762785-09d204d7ad253257.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

Figure 5. Fake Banco de Brasil website

Lordfenix

If a user enters his login credentials in a forged browser, the Trojan sends the user’s information via email to the attacker —- in the Filho de Hakcer log

Lordfenix uses the same email.

In order to bypass the anti-virus software to kill, the online silver Trojan will automatically terminate gbPSv. exe process. The gbPSv. exe process is one associated with the G-Buster browser defense system. Many Brazilian banks use this security program to protect against information theft, protect users’ privacy, and protect their property during online transactions.

Free cybercrime

Lordfenix was so confident in his abilities that we found him offering the source code of a fully functional banking Trojan for free to members of his underground forums. Lordfenix said his open-source online banking Trojan was able to steal user information from four banks. However, there are certain limitations to this free, if any members want to steal more information from other banks, they will contact Lordfenix, and Lordfenix will sell tSPy_bank.njh to them. In fact, TSPy_bank.njh is the Trojan that we found and tested before.

! [](https://upload-images.jianshu.io/upload_images/24762785-d5105976b5a95ccb.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

Figure 6. Forum released free net silver Trojan source code

We also discovered that Lordfenix was also spreading information about his online banking Trojan through his Skype profile. In Kuala Lumpur the online banking Trojan is known as keylogger —- a type of malware with keyloggers.

! [](https://upload-images.jianshu.io/upload_images/24762785-0b8af5c425ee554f.png? imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

Figure 7. Personal note from Lordfenix on Skype

The upstart of computer criminals

According to our research, Lordfenix has created over 100 online banking trojans since April 2013, not counting the other malicious tools he created. With each online banking Trojan costing 1,000 reais ($320), the young computer criminal is using his programming talents for illicit gain.

In addition to being able to develop such a powerful online banking Trojan, there were several other factors that prompted Lordfenix to create his own benefit chain:

As it stands, Brazil has a large online banking user base, with about 51% of domestic banking transactions taking place online as of 2013.

Catching criminals for computer crimes is not a priority in Brazil, where the law is still weak and punishments for the worst crimes remain low.

Alone and only 20 years old, Lordfenix has worked hard to raise his profile in the black industry. His story —- young computer criminals doing a lot of damage —- is not the same as the impact of mobile ransomware developed by Chinese kids. He’s not the only lone hacker we’ve noticed this season.

Solo hackers like Frapstar(Canada) and cybercrime backer FighterPOS(Brazil) and Hawkeye (Nigeria) all use basic malware to make a profit.

In cybercrime, both novice and veteran. The result is the same: ordinary users become victims.

If you want to know more information and material please join my penguin circle oh!!