Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PowerShell-Abusing Banking Trojan Goes to Brazil

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

According to the security firm, Brazil is the most infected country in the world when it comes to banking Trojans, but crooks have been using mainly low-quality malware so far. Lately, more sophisticated Trojans have emerged in the country, including the newly spotted Trojan-Proxy.PowerShell.Agent.a, which represents a major achievement for the country’s cybercriminals.

The Trojan is distributed via malicious emails with an attachment supposedly representing a receipt from a mobile operator, but which is a .PIF file containing malware. As soon as the file is executed, the malicious code changes the proxy configuration in Internet Explorer to a malicious proxy server, which ensures that users are redirected to phishing pages that mimic the legitimate pages of Brazilian banks.

While the technique is not new, the use of a PowerShell script to perform the nefarious operation is: previously, the method was used by malicious PACs, Kaspersky Lab researchers explain. The malware will certainly be successful in infecting computers in Brazil, mainly because Windows 7 and newer operating system versions are the most popular in the country at the moment, Kaspersky says.

Researchers also reveal that the Trojan doesn’t connect to a command and control (C&C) server for communication purposes. Instead, he malware spawns the powershell.exe process with the commands to help it bypass PowerShell execution policies. 

What’s worrying is that the changes this script makes to Internet Settings key to enable a proxy server don’t affect only Microsoft Internet Explorer, but all other browsers on the machine as well. This is so because the other browsers tend to use the same proxy configuration set on IE.

The proxy domains used in the attack use dynamic DNS services and are meant to redirect all traffic to a server located in the Netherlands (89.34.99.45). The server hosts several phishing pages for Brazilian banks, such as gbplugin.[REMOVED].com.br, moduloseguro.[REMOVED].com.br, x0x0.[REMOVED].com.br, and X1x1.[REMOVED].com.br.

The banking Trojan was also found to check for the language of the operating system and to abort all operations should it not be set to Brazilian Portuguese. Thus, the malware is clearly focused on infecting users in Brazil.

“To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code,” Kaspersky Lab notes.

Other banking Trojans also started focusing on Brazil over the past few weeks, such as Panda Banker, also known as Zeus Panda, which was spotted in the country just before the Olympics kicked off.

 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...