{
	"id": "8e294f5d-8b3e-4840-a131-7e24114757c8",
	"created_at": "2026-04-06T00:13:43.477454Z",
	"updated_at": "2026-04-10T03:21:36.839916Z",
	"deleted_at": null,
	"sha1_hash": "9d8a2e509bcb5e7183a3c3177feb06eaa431d4a2",
	"title": "Another Banker Enters the Matrix",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 339864,
	"plain_text": "Another Banker Enters the Matrix\r\nBy ASERT team\r\nPublished: 2017-06-09 · Archived: 2026-04-05 21:43:25 UTC\r\nThis post takes a look at a new banking malware that has, so far, been targeting financial institutions in Latin\r\nAmerica—specifically, Mexico and Peru. Initially, we’ve called it “Matrix Banker” based on its command and\r\ncontrol (C2) login panel, but it seems that “Matrix Admin” is a template available for the Bootstrap web\r\nframework. Proofpoint calls it “Win32/RediModiUpd” based on a debugging string from an earlier sample.\r\nThe malware is under active development, but as with some of the other banking trojans we’ve analyzed, it’s\r\ndifficult to assess how far and wide this threat will go while it’s still so new. Will it become a persistent threat like\r\nPanda Banker or have a fate more like Nuclear Bot?\r\nSamples\r\nThe sample analyzed for this post is available on VirusTotal. It was compiled on 2017-05-26 and has the following\r\nPDB debugging string:\r\nC:\\Users\\W7\\Downloads\\Project\\Bin\\Loader.pd\r\nThe Matrix Loaded\r\nAs suggested by the PDB string, the sample starts off as a loader. It performs the following tasks:\r\nCreates a “LoaderMutex” mutex\r\nSets up Registry Run persistence using “GITSecureService” as the value name.\r\nExtracts a 32-bit and 64-bit DLL named “main_32.dll / main_64.dll” from a resource named “BINARY”.\r\nUsing the “ReflectiveLoader” technique and code, injects the appropriate DLL into chrome.exe,\r\nfirefox.exe, iexplore.exe, or microsoftedgecp.exe.\r\nMain DLLOnce the main DLL is injected in a browser, it starts by hooking the appropriate browser functions (e.g.\r\nPR_Read and PR_Write for Firefox) to setup a “man-in-the-browser” (MitB).\r\nIt then phones home to its C2 server to get the webinject config. The request looks like this:\r\nhttps://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/\r\nPage 1 of 3\n\nThe URI path and file are hardcoded, but we’ve seen other paths in other samples. “uuid” is randomly generated\r\nand “country” is currently left blank—though there is placeholder code for it.\r\nResponses from the C2 are hex encoded and encrypted using the Salsa20 crypto algorithm. This is the first\r\nmalware family that we’ve seen that uses this algorithm. The following Python snippet decrypts the response:\r\nimport sys# https://pypi.python.org/pypi/salsa20/0.3.0\r\nimport salsa20\r\nfp = open(sys.argv[1], \"rb\")\r\ndata = fp.read()\r\nfp.close()\r\niv = \"K\\x84\\x8eH\\xf1]E\\xa5\"\r\nhttps://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/\r\nPage 2 of 3\n\nkey = \"\\xa1\\x9cA\\x89\\xb4\\x9d\\x15ae\\xf1a\\x8bLQj\\x16\\xf1l\\x18\\x1d\\x81\\xb8\\x18\\x18\\xe1\\x81e\\x1c!\\xb8\\\\e\r\ndata_nohex = data.replace(\"\\n\", \"\").decode(\"hex\")\r\nplain = salsa20.Salsa20_xor(data_nohex, iv, key)\r\nprint plain\r\nSo far the key and initialization vector (IV) have been the same for all the samples we’ve analyzed. An example\r\nwebinject config looks like this:\r\nWhile functional, the webinject format looks to be under construction. Earlier samples use a different, simpler\r\nformat and there is plenty of work to do to catch up with the industry standard Zeus webinjects. Rules are “\\n”\r\nseparated and there are two types: “rule1” and “rule2”. So far we’ve only seen “rule2”s. The targeted financial\r\ninstitution is specified in “targeturl”. The rest of the pieces, which are “\u0026br\u0026” delimited, are eventually\r\nconcatenated together and injected into the page if the browser visits a targeted URL.\r\nIn this example the code that is injected is a HTML and JavaScript redirect that automatically redirects the\r\nbrowser to a phishing page hosted on “llinea[.]com” that looks exactly like the targeted financial institution.\r\nHoping the victim doesn’t notice the redirect, the threat actor will harvest the victim’s banking credentials.\r\nCampaign\r\nPer VirusTotal, the analyzed sample was first seen in the wild on 2017-05-29 and being distributed by the\r\nfollowing sites:\r\nhxxp://neext[.]com[.]mx/Loader.exe\r\nhxxp://notaria94[.]com[.]mx/real.exe\r\nFurthermore we can link the second drop site to an instance of Beta Bot (available on VirusTotal) and see it\r\ndropping Matrix Banker. The two malwares also share a common C2 server, trtr44[.]cat.\r\nConclusion\r\nThis post has been a quick analysis of a new banking malware currently targeting countries in Latin America. It is\r\ntoo soon to assess how active and widespread this new family will become, but it is actively being developed and\r\ntargeting financial institutions in the wild.\r\nSource: https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/\r\nhttps://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/"
	],
	"report_names": [
		"another-banker-enters-matrix"
	],
	"threat_actors": [],
	"ts_created_at": 1775434423,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d8a2e509bcb5e7183a3c3177feb06eaa431d4a2.pdf",
		"text": "https://archive.orkl.eu/9d8a2e509bcb5e7183a3c3177feb06eaa431d4a2.txt",
		"img": "https://archive.orkl.eu/9d8a2e509bcb5e7183a3c3177feb06eaa431d4a2.jpg"
	}
}