Incidents

Brazilian banking Trojans meet PowerShell

Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian bad guys have made an important addition to their arsenal: the use of PowerShell. Brazil is the most infected country worldwide when it comes to banking Trojans, according to our Q1 2016 report, and the quality of the malware is evolving dramatically. We found Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cybercriminals.

The malware is distributed using a malicious email campaign disguised as a receipt from a mobile operator with a malicious .PIF file. After the file is executed it changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks. It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script. As Windows 7 and newer OS versions are now the most popular in Brazil, the malware will not face a problem running on victims’ computers.

The malware has no C&C communication. After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies. The .ps1 file in the temp folder uses random names. It’s a base64 encoded script capable of making changes in the system.

Brazilian banking Trojans meet PowerShell

After some deobfuscation we can see the goal of the script: to change the Internet Settings key and enable a proxy server on it:

Brazilian banking Trojans meet PowerShell

And this is the result in the browser of the victim – a small change in the proxy settings:

Brazilian banking Trojans meet PowerShell

This change will not only affect IE but all other browsers installed in the system as well, as they tend to use the same proxy configuration set on IE. The proxy domains used in the attack are listed below. All of them use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands (89.34.99.45), where there are several phishing pages for Brazilian banks:

gbplugin.[REMOVED].com.br
moduloseguro.[REMOVED].com.br
x0x0.[REMOVED].com.br
X1x1.[REMOVED].com.br

The malware also has other features of interest: it checks for the language of the OS and aborts if it’s not PTBR, a clever trick to avoid infecting Windows versions in languages other than Brazilian Portuguese.

To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code.

Hash of the malware: cancelamento.pif -> MD5: 9419e7cd60487532313a43559b195cb0

Brazilian banking Trojans meet PowerShell

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox