Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Banking Trojan “Brolux” Targets Users in Japan

A new banking Trojan dubbed “Brolux” has been spotted targeting online banking users in Japan, researchers at ESET have warned.

A new banking Trojan dubbed “Brolux” has been spotted targeting online banking users in Japan, researchers at ESET have warned.

According to the security firm, the threat, detected as Win32/Brolux.A, has been distributed by malicious actors with the aid of a Flash Player exploit leaked as a result of the Hacking Team breach (CVE-2015-5119) and an Internet Explorer vulnerability dubbed “Unicorn” (CVE-2014-6332).

The Flash Player flaw was patched by Adobe in July and the Unicorn bug was addressed by Microsoft in November 2014, but it appears even older exploits like these can be useful for delivering malware.

ESET says the exploits have been hosted on an adult website and there is no indication that any exploit kits have been used to distribute Brolux. If the exploits are successful, a signed binary is pushed to the victim’s device.

Once it infects a computer, the Trojan’s main payload downloads two configuration files: one containing a list of 88 URLs, and one containing a list of browser window titles associated with Internet banking in Japan.

The malware monitors the websites visited by the user in search for online banking sites. If the victim uses Internet Explorer, Brolux compares the visited site’s URL with the URLs in the first configuration file. If Firefox or Chrome are used, the threat compares the window’s title with the list from the second configuration file.

If the URLs or window titles match, a new process is created and the victim is pointed to a phishing page designed to harvest login information, security questions and answers, payment card data, passwords, email addresses and passwords, and PINs. In order to make everything look legitimate, the phishing pages are designed to appear as if they are associated with the Japanese Public Prosecutors Office and the Financial Services Agency (FSA).

ESET researchers have uncovered clues suggesting that Chinese cybercriminals might be behind this Brolux attack. For example, one of the samples uses a Chinese mutex name, the phishing pages also contain text written in Chinese, and the malware is signed with a certificate issued to a Chinese company. The certificate was previously used to sign other malware, including a banking Trojan aimed at users in Korea, and potentially unwanted applications (PUAs).

Advertisement. Scroll to continue reading.

Several pieces of malware have been used over the past period to target the customers of Japanese banks, including Shifu, Neverquest and Tsukuba. However, Trend Micro highlighted in a report published this week that the Japanese cybercriminal underground is still in its infancy.

“Although our observations reveal that Japanese cybercriminals lack the technical know-how needed for malware creation, the interest is there, as evidenced by exchanges on how to monetize malware tools purchased from other regional underground markets,” Trend Micro experts said. “Once enterprising individuals discover the feasibility of making money using hacking or malware, we may see more locally produced hacking tools and tips on Japanese underground sites.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...