Flattr this!

Experts of the international anti-virus company ESET found a banking trojan aimed at users in Brazil. A feature of this was the use of threats in the cyber vulnerability of the government’s mail server.

To steal confidential data threats established a special extension for the browser Google Chrome . This extension allows an attacker to intercept authentication credentials required to log on online banking. It is worth noting that in Brazil, cyber criminals often use the banking malware to give a substantial profit.

ESET’s antivirus solutions detect this malicious code as MSIL / Spy.Banker.AU. The threat was distributed through a special spam campaign. The main element in this scheme is a dropper, which is responsible for the installation of the required dynamic DLL-libraries and JavaScript-objects on the compromised computer.

Woman sitting at a laptop and entering her credit card information into an online form

Once installed in a special Google Chrome extension, it has developed to monitor all websites visited by the user, trying to keep track of the web resources of Brazilian financial institutions. Once the user has logged into an account on one of these resources, its authentication data sent to the server immediately intruders. To send chosen an unusual way – the cybercriminals exploit vulnerabilities in the configuration of a server belonging to the Brazilian government.

Vulnerability in Server settings allow hackers to use the account gov.br e-mail to forward emails with him on two different account e-mail, belonging to one of the most commonly used email services.

After an account gov.br this plugin sent two letters attackers – the first signaled a new infection while the latter asks the user authentication in online banking system. Malicious scripts contain a list of the various banking domains, and, if the user visits one of them needed to authenticate the data were preserved and sent to the email address of the attackers.

By working together ESET experts and law enforcement agencies in Brazil, participating in cyber attack email accounts were blocked, and the vulnerability of the server that was used by attackers to obtain account gov.br, was closed.