Security Experts:

PowerShell-Abusing Banking Trojan Goes to Brazil

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

According to the security firm, Brazil is the most infected country in the world when it comes to banking Trojans, but crooks have been using mainly low-quality malware so far. Lately, more sophisticated Trojans have emerged in the country, including the newly spotted Trojan-Proxy.PowerShell.Agent.a, which represents a major achievement for the country’s cybercriminals.

The Trojan is distributed via malicious emails with an attachment supposedly representing a receipt from a mobile operator, but which is a .PIF file containing malware. As soon as the file is executed, the malicious code changes the proxy configuration in Internet Explorer to a malicious proxy server, which ensures that users are redirected to phishing pages that mimic the legitimate pages of Brazilian banks.

While the technique is not new, the use of a PowerShell script to perform the nefarious operation is: previously, the method was used by malicious PACs, Kaspersky Lab researchers explain. The malware will certainly be successful in infecting computers in Brazil, mainly because Windows 7 and newer operating system versions are the most popular in the country at the moment, Kaspersky says.

Researchers also reveal that the Trojan doesn’t connect to a command and control (C&C) server for communication purposes. Instead, he malware spawns the powershell.exe process with the commands to help it bypass PowerShell execution policies. 

What’s worrying is that the changes this script makes to Internet Settings key to enable a proxy server don’t affect only Microsoft Internet Explorer, but all other browsers on the machine as well. This is so because the other browsers tend to use the same proxy configuration set on IE.

The proxy domains used in the attack use dynamic DNS services and are meant to redirect all traffic to a server located in the Netherlands ( The server hosts several phishing pages for Brazilian banks, such as gbplugin.[REMOVED], moduloseguro.[REMOVED], x0x0.[REMOVED], and X1x1.[REMOVED]

The banking Trojan was also found to check for the language of the operating system and to abort all operations should it not be set to Brazilian Portuguese. Thus, the malware is clearly focused on infecting users in Brazil.

“To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code,” Kaspersky Lab notes.

Other banking Trojans also started focusing on Brazil over the past few weeks, such as Panda Banker, also known as Zeus Panda, which was spotted in the country just before the Olympics kicked off.


view counter