It is currently 16-12-2017 12:09

Banking Trojan uses PowerShell to replace the proxy settings in IE

Banking Trojan uses PowerShell to replace the proxy settings in IE

by seo_worker » 2016-08-24 14:57:59

Specialists of the Laboratory Kasperskogo discovered banking Trojan, dubbed Trojan-ID-Proxy.PowerShell.Agent.a. Malware uses Microsoft PowerShell to replace the proxy settings and redirect the user who tries to visit the Bank's website, on another server.

Change proxy settings is a standard practice for banking Trojans, such tactics are used by malware. For these purposes, malware usually uses a local. PAC files (Proxy Auto-Config). Trojan-Proxy.PowerShell.Agent.operates a little differently. This malware attacks mainly the Brazilian financial institutions and distributed through spam emails, which the attached files .pif. Emails disguised as receipts from mobile operators.

Researchers at Kaspersky Lab says that the server operators malware located in the Netherlands, and they placed phishing pages that mimic the sites of several Brazilian banks.

This Trojan does not need to contact the command server before the attack or during it. Once the victim opens the malicious file, malware will launch PowerShell on your machine and change the proxy settings for Internet Explorer.

These settings are important because other applications do not have their own tools for configuring proxies will often use in these settings. So, almost all modern browsers, except Firefox, rely on proxy settings for IE. In the end, no matter what browser is used nor the victim, then the HTTP request to Bank website will be intercepted by the proxy intruders, and is a legitimate resource, the user will be redirected to a fake page that mimics.

Another interesting feature of the Trojan-Proxy.PowerShell.Agent.a is that before the attack he checks the language set in the system by default. If the value is different from the PTBR, the system works not only with Portuguese, malware not start.
Сообщений: 789
Депозит: 0.005 BTC

Rating: 2