Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated.
The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday.
The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run.
In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said. Those changes in the system are made using a PowerShell script.
The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL.
“It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome.
The malware has no command and control communication. Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued. This is an attempt to bypass PowerShell execution policies, Assolini said. The malware changes the file prefs.js, inserting the malicious proxy change.
Read more: New Brazilian Banking Trojan Uses Windows PowerShell Utility
The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday.
The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run.
In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said. Those changes in the system are made using a PowerShell script.
The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL.
“It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome.
The malware has no command and control communication. Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued. This is an attempt to bypass PowerShell execution policies, Assolini said. The malware changes the file prefs.js, inserting the malicious proxy change.
Read more: New Brazilian Banking Trojan Uses Windows PowerShell Utility
