Over the past few days our email honeypots in South America began to receive spam messages that invited recipients to download new forms for filing and paying taxes in Brazil. The links in the emails supposedly lead to Brazil’s federal tax service website. It is tax season in Brazil, so you can be sure that many, many people are looking for tax forms.
In reality, everyone who clicked on the links opened a well-crafted spoofed webpage.
The Trojan is packed with nPack and is 319488 bytes. Luckily, Kaspersky’s Proactive Defense Module detected this Trojan before we had a sample and updated our signatures.
The Trojan is being hosted on a legitimate website – on a real page. The hackers simply added code to the page. The victim of the hack is an ISP based in the US. The site is active, so we are monitoring it in case new modifications are uploaded.
In the meantime, Kaspersky Anti-Virus does detect this Trojan as Trojan-Downloader.Win32.Banload.jbr, so make sure you have updated your databases. And be careful – if something looks fishy during a download; it is possible malware.