Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Banprox Infostealer Trojan Completely

shutterstock_223094779A Trojan that is known as Banprox.Infostealer has been identified by Symantec threat response team to infect personal computers on various locations all over the world. The Trojan is very specific in it’s actions, redirecting the web traffic of the victim PC through a malicious host via a third-party proxy. It is usually active when you are using banking or other websites where financial data is involved.

Name Banprox Infostealer
Type Infostealer Trojan
Short Description The malware may perform various activities such as connecting to remote hosts and stealing financial credentials.
Symptoms Unknown IP addresses linking to the below-mentioned hosts when you type “netstat -a -n -f” in your command prompt.
Distribution Method Via PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Banprox Infostealer
User Experience Join our forum to discuss Banprox Infostealer.

Banprox Trojan – How Is It Spread

Similar to Banload Infostealer, this Trojan is mostly distributed via malicious macros in e-mail attachments and what is worse is that most users get caught while opening them. Since a user tends to trust documents with .docx, .doc, .pdf, .ppt and other Microsoft Office documents, they often lack the knowledge that such documents may have malicious macros. And often the emails may resemble an important subjects such as:

  • Your PayPal receipt.
  • Your Amazon gift card has arrived.
  • The funds have been transferred to your eBay account.

After the document is opened and the user chooses the “Enable” editing option, the malicious macro may execute a script that may either directly deploy the payload of the Trojan or connect to a remote host and download the obfuscated payload.

Banprox Trojan – How Does It Work

The concept of banking Trojans is not a new thing when we are talking about cyber-security. Symantec researchers have reported that after it has been started, the Trojan immediately attacks the registry entries, creating several new ones in these locations:

→ `HKEY_ALL_USERS\S-1-5-21-3889344330-28187927-3519877804-1000\Software\Microsoft\Internet Explorer\Privacy\”CleanTIF” = “1”
HKEY_ALL_USERS\S-1-5-21-3889344330-28187927-3519877804-1000\Software\Microsoft\Internet Explorer\Privacy\”ClearBrowsingHistoryOnExit” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”AutoConfigUrl” = “[LOCATION OF CONFIGURATION SCRIPT]”
HKEY_ALL_USERS\S-1-5-21-3889344330-28187927-3519877804-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”AutoConfigURL” = “[LOCATION OF CONFIGURATION SCRIPT]”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\”AutoConfigURL” = “[LOCATION OF CONFIGURATION SCRIPT]”
`

The registry values that have the location of configuration scrips directly point out to keys configured to connect and transfer web traffic via custom created web links from two main hosts:

  • Systruster(.)com
  • Retsback(.)com

An example of a custom host may be the following:

  • “systruster.com/a9s9d2/12b”

These scripts of the hosts contain a list of websites that are set as parameters to collect data from and it is activated every time the user visits the website from that list. Here are several examples of websites the traffic to which may be redirected to another server and hence the user-entered information may be stolen:

  • ibanking.stgeorge.com.au
  • ibs.bankwest.com.au
  • *y.combank.com.au
  • hb2.bankleumi.co.il
  • banking3.anz.com
  • banking4.anz.com
  • ib.nab.com.au

Furthermore, this cyber-threat may also establish connection to a remote location. Locations that it may connect could be the following:

  • Msupdcheck(.)com
  • Retsback(.)com

Remove Banprox Infostealer Trojan Completely

In case your antivirus software has detected this or any other infostealer variants, we strongly advise to immediately change all of your credentials – financial data, usernames, passwords and other information, since there is a good possibility it may already be compromised.

Then you should backup the data on your computer. Experts also advise using an anti-malware software to assist you with scanning and detecting any other malware besides this that may be downloaded via the connected hosts. We have prepared a methodological instructions below that may assure you the maximum effectiveness to deal with Banprox infostealer.

1. Boot Your PC In Safe Mode to isolate and remove Banprox Infostealer
2. Remove Banprox Infostealer with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by Banprox Infostealer in the future
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.