September 25, 2018
The Trojan, added to the Dr.Web virus databases under the name Trojan.PWS.Banker1.28321, distributed under the guise of the Adobe Reader application, designed to view documents in PDF format. Once launched, it shows a window with the name of this application.
The malicious program attempts to determine whether it is running in a virtual environment. When a virtual machine is detected, the program terminates. The banker also monitors the Windows local language settings. If the system language is not Portuguese, the Trojan does not perform any actions.
The loader module Trojan.PWS.Banker1.28321 is implemented as a VBscript script, while the Trojan itself is written in .NET. The load script is launched by the standard MSScriptControl.ScriptControl COM object. It connects to the managing server and downloads two ZIP-archives from it, one of which contains the obfuscated dynamic library created using Delphi development environment. This library contains the malicious program’s main functions.
When users open the Internet banking sites of various Brazilian financial institutions in the browser window, Trojan.PWS.Banker1.28321 imperceptibly replaces the web page, showing the victim a fake authentication form. In some cases, the Trojan requests an authorization verification code from an SMS message the banks sends users. This information is then transmitted from the Trojan to cybercriminals.
This scheme of replacing the content of original, user-viewed web pages with the "bank-client" systems is used by many banking Trojans. Often they threaten credit institutions’ clients not only in Brazil, but around the world. Over the past month, Doctor Web specialists have identified over 340 unique Trojan.PWS.Banker1.28321 variations. They also found 129 domains and IP addresses of Internet resources belonging to cybercriminals from which the Trojans downloaded archives containing malicious libraries. This indicates the banker is wide-spread. Information about all known Trojan.PWS.Banker1.28321 variations have been added to the Dr.Web virus databases, and the addresses of the servers they use have also been added to the SpIDer Gate web antivirus databases, so the Trojan does not pose a threat to our customers.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.