Rio Malware 2016: Trojan-Proxy.PowerShell.Agent.a - How to, Technology and PC Security Forum |

Rio Malware 2016: Trojan-Proxy.PowerShell.Agent.a


Besides ransomware, this month has seen some older banking Trojans equipped with new variants as well as completely new pieces. The latest banking Trojan that has been lurking around uses Microsoft PowerShell to change the victim’s PC local proxy settings to redirect users to another server while attempting to access a banking portal. Kaspersky researchers have detected the Trojan as Trojan-Proxy.PowerShell.Agent.a.

Trojan-Proxy.PowerShell.Agent.a: Technical Overview

Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian attackers have made an important addition to their arsenal: the use of PowerShell, Kaspersky researchers point out.

Brazil is the most infected country worldwide in terms of banking Trojans, according to Kaspersky’s Q1 2016 report, so it’s not surprising that the quality of malware is evolving. The research team was able to “catch” Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cyber criminals.

This is not the first time of banking Trojans hijacking computer proxy settings. However, in previous campaigns attackers have used local PAC, or Proxy Auto-Config. In addition, the Trojan also uses PowerShell.

What Is PowerShell?

PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. The utility was recently open-sourced and is now available for Linux and Mac.

Trojan-Proxy.PowerShell.Agent.a Distribution Path

The Trojan is spread via an email campaign, and is a masqueraded as a receipt from a mobile operator in a malicious .PIF file. Once executed, the file would chance the proxy configuration in Internet Explorer to a malicious proxy server to redirect connections to phishing pages for Brazilian banks.


Interestingly, the Trojan doesn’t employ a command & control communication:

After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies. The .ps1 file in the temp folder uses random names. It’s a base64 encoded script capable of making changes in the system.

Because other apps that don’t have a built-in proxy handler use this configuration, proxy settings are crucial. Furthermore, popular browsers except Firefox employ the proxy settings of Internet Explorer as their default Internet connection settings, which makes things worse for users.

In other words, whenever the user attempts to access a banking portal through one of the affected browsers, the HTTP request will be intercepted and redirected to the malicious server. The user will be redirected to a fake banking portal that harvests his banking credentials.

Trojan-Proxy.PowerShell.Agent.a: Targets

For now, the banking Trojan only targets banks in Brazil but researchers expect the campaign to move to other countries as the end of the Olympic Games is near. Currently the malware is specifically targeting machines whose default language is Brazilian Portuguese, or PTBR.

Other banking Trojans to keep away from:

Trojan-Proxy.PowerShell.Agent.a: Removal and Protection

Infected users should immediately remove the Trojan from their systems. The best way to do so is automatically, via a powerful anti-spyware program.

Automatically remove Trojan-Proxy.PowerShell.Agent.a by downloading an advanced anti-malware program

1. Remove Trojan-Proxy.PowerShell.Agent.a with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Trojan-Proxy.PowerShell.Agent.a in the future
3. Restore files encrypted by Trojan-Proxy.PowerShell.Agent.a
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

1 Comment

  1. Bonny

    I use proxy and have no problem with trojans.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share