CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PowerShell-Abusing Banking Trojan Goes to Brazil

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

With Brazil currently hosting the 2016 Olympics, cybercriminals appear determined to profit from this major sporting event as much as possible, such as using banking Trojans that abuse PowerShell, Kaspersky Lab researchers reveal.

According to the security firm, Brazil is the most infected country in the world when it comes to banking Trojans, but crooks have been using mainly low-quality malware so far. Lately, more sophisticated Trojans have emerged in the country, including the newly spotted Trojan-Proxy.PowerShell.Agent.a, which represents a major achievement for the country’s cybercriminals.

The Trojan is distributed via malicious emails with an attachment supposedly representing a receipt from a mobile operator, but which is a .PIF file containing malware. As soon as the file is executed, the malicious code changes the proxy configuration in Internet Explorer to a malicious proxy server, which ensures that users are redirected to phishing pages that mimic the legitimate pages of Brazilian banks.

While the technique is not new, the use of a PowerShell script to perform the nefarious operation is: previously, the method was used by malicious PACs, Kaspersky Lab researchers explain. The malware will certainly be successful in infecting computers in Brazil, mainly because Windows 7 and newer operating system versions are the most popular in the country at the moment, Kaspersky says.

Researchers also reveal that the Trojan doesn’t connect to a command and control (C&C) server for communication purposes. Instead, he malware spawns the powershell.exe process with the commands to help it bypass PowerShell execution policies. 

What’s worrying is that the changes this script makes to Internet Settings key to enable a proxy server don’t affect only Microsoft Internet Explorer, but all other browsers on the machine as well. This is so because the other browsers tend to use the same proxy configuration set on IE.

The proxy domains used in the attack use dynamic DNS services and are meant to redirect all traffic to a server located in the Netherlands (89.34.99.45). The server hosts several phishing pages for Brazilian banks, such as gbplugin.[REMOVED].com.br, moduloseguro.[REMOVED].com.br, x0x0.[REMOVED].com.br, and X1x1.[REMOVED].com.br.

The banking Trojan was also found to check for the language of the operating system and to abort all operations should it not be set to Brazilian Portuguese. Thus, the malware is clearly focused on infecting users in Brazil.

Advertisement. Scroll to continue reading.

“To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code,” Kaspersky Lab notes.

Other banking Trojans also started focusing on Brazil over the past few weeks, such as Panda Banker, also known as Zeus Panda, which was spotted in the country just before the Olympics kicked off.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.