Besides ransomware, this month has seen some older banking Trojans equipped with new variants as well as completely new pieces. The latest banking Trojan that has been lurking around uses Microsoft PowerShell to change the victim’s PC local proxy settings to redirect users to another server while attempting to access a banking portal. Kaspersky researchers have detected the Trojan as Trojan-Proxy.PowerShell.Agent.a.
Trojan-Proxy.PowerShell.Agent.a: Technical Overview
Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian attackers have made an important addition to their arsenal: the use of PowerShell, Kaspersky researchers point out.
Brazil is the most infected country worldwide in terms of banking Trojans, according to Kaspersky’s Q1 2016 report, so it’s not surprising that the quality of malware is evolving. The research team was able to “catch” Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cyber criminals.
This is not the first time of banking Trojans hijacking computer proxy settings. However, in previous campaigns attackers have used local PAC, or Proxy Auto-Config. In addition, the Trojan also uses PowerShell.
What Is PowerShell?
PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. The utility was recently open-sourced and is now available for Linux and Mac.
Trojan-Proxy.PowerShell.Agent.a Distribution Path
The Trojan is spread via an email campaign, and is a masqueraded as a receipt from a mobile operator in a malicious .PIF file. Once executed, the file would chance the proxy configuration in Internet Explorer to a malicious proxy server to redirect connections to phishing pages for Brazilian banks.
Interestingly, the Trojan doesn’t employ a command & control communication:
After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies. The .ps1 file in the temp folder uses random names. It’s a base64 encoded script capable of making changes in the system.
Because other apps that don’t have a built-in proxy handler use this configuration, proxy settings are crucial. Furthermore, popular browsers except Firefox employ the proxy settings of Internet Explorer as their default Internet connection settings, which makes things worse for users.
In other words, whenever the user attempts to access a banking portal through one of the affected browsers, the HTTP request will be intercepted and redirected to the malicious server. The user will be redirected to a fake banking portal that harvests his banking credentials.
For now, the banking Trojan only targets banks in Brazil but researchers expect the campaign to move to other countries as the end of the Olympic Games is near. Currently the malware is specifically targeting machines whose default language is Brazilian Portuguese, or PTBR.
Other banking Trojans to keep away from:
Trojan-Proxy.PowerShell.Agent.a: Removal and Protection
Infected users should immediately remove the Trojan from their systems. The best way to do so is automatically, via a powerful anti-spyware program.