Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PowerShell-Abusing Banking Trojan Goes to Brazil

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

According to the security firm, Brazil is the most infected country in the world when it comes to banking Trojans, but crooks have been using mainly low-quality malware so far. Lately, more sophisticated Trojans have emerged in the country, including the newly spotted Trojan-Proxy.PowerShell.Agent.a, which represents a major achievement for the country’s cybercriminals.

The Trojan is distributed via malicious emails with an attachment supposedly representing a receipt from a mobile operator, but which is a .PIF file containing malware. As soon as the file is executed, the malicious code changes the proxy configuration in Internet Explorer to a malicious proxy server, which ensures that users are redirected to phishing pages that mimic the legitimate pages of Brazilian banks.

While the technique is not new, the use of a PowerShell script to perform the nefarious operation is: previously, the method was used by malicious PACs, Kaspersky Lab researchers explain. The malware will certainly be successful in infecting computers in Brazil, mainly because Windows 7 and newer operating system versions are the most popular in the country at the moment, Kaspersky says.

Researchers also reveal that the Trojan doesn’t connect to a command and control (C&C) server for communication purposes. Instead, he malware spawns the powershell.exe process with the commands to help it bypass PowerShell execution policies. 

What’s worrying is that the changes this script makes to Internet Settings key to enable a proxy server don’t affect only Microsoft Internet Explorer, but all other browsers on the machine as well. This is so because the other browsers tend to use the same proxy configuration set on IE.

The proxy domains used in the attack use dynamic DNS services and are meant to redirect all traffic to a server located in the Netherlands (89.34.99.45). The server hosts several phishing pages for Brazilian banks, such as gbplugin.[REMOVED].com.br, moduloseguro.[REMOVED].com.br, x0x0.[REMOVED].com.br, and X1x1.[REMOVED].com.br.

The banking Trojan was also found to check for the language of the operating system and to abort all operations should it not be set to Brazilian Portuguese. Thus, the malware is clearly focused on infecting users in Brazil.

Advertisement. Scroll to continue reading.

“To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code,” Kaspersky Lab notes.

Other banking Trojans also started focusing on Brazil over the past few weeks, such as Panda Banker, also known as Zeus Panda, which was spotted in the country just before the Olympics kicked off.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.