Banking Trojan Leveraging on PowerShell Attacks Brazil

A new banking Trojan has been detected by security researcher from Kaspersky Lab raging out in Brazil.

Called Trojan-Proxy.PowerShell.Agent.a, it uses Microsoft PowerShell to change the local proxy settings of a computer in such way so when a user tries to access a banking portal they would be redirected to the crooks` server.

Altering computers` proxy settings has been the way banking Trojan operate for years now. This is achievable thanks to the local PAC (Proxy Auto-Config) files, which are secretly installed on victims` machines.

However, in Trojan-Proxy.PowerShell.Agent.a`s case, it is relying on the usage of PowerShell. PowerShell is a task automation utility which is included in Microsoft`s Windows Operating System. Not long ago it was open-sourced for Mac and Linux OSs as well.

Currently, the Trojan s only target are Brazilian-based financial institutions. The Trojan is being spread via spam email messages disguised in the form of a PIF file. The phony emails are pretending to be receipts from mobile operators.

If the infected user is misled to launch the banking Trojan, it would immediately start a PowerShell instance, which, on the other hand, would alter the proxy setting of the Internet Explorer browser.

However, the IE browser is not the only one at risk. Many other apps, which don’t have a built-in proxy handler, use the same configuration. Also, the IE proxy setting are used as default settings in all major web browsers except for Mozilla Firefox.

With that in mind, now we know that if a user tries to load a banking portal using IE, Chrome, Opera, Edge, Vivaldi or another browser, the HTTP request would be intercepted. The user, then, would be redirected to a phony banking portal which is actually the attackers` server, which will steal the victims` banking credentials.

These websites are hosted on a server in the Netherlands. At this point, this Trojan is focusing on Brazilian bank only and, according to Kaspersky, four of the have already been hit. For now, the Trojan is very careful to target only PCs that use Brazilian Portuguese as default language.

Considering that Brazil is probably the Trojan`s main target because of the 2016 Olympics, after they close, it is expected to widen its attack range.

Trojan-Proxy.PowerShell.Agent.a is not the only one drawn to Brazil by the Rio Olympics. Earlier this month, IBM X-Force detected both the Brazilian edition of the Panda Banker banking Trojan and the Sphinx banking Trojan.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.