Friday, August 9, 2013

Published 3:16 AM by

Banking Trojan server used to attack government

Banking Trojan server used to attack government

Experts of the international anti-virus company Eset found bank trojan aimed at users in Brazil. A feature of this was the use of threats in the cyber vulnerability of the government's mail server. To steal confidential information threats established a special extension for the browser Google Chrome. This extension allows an attacker to intercept authentication credentials required to log on online banking. It is worth noting that in Brazil, cyber criminals often use the banking malware to give a substantial profit. Eset antivirus solutions detect this malicious code as MSIL / Spy.Banker.AU.

 The threat was distributed through a special spam campaign. The main element in this scheme is a dropper, which is responsible for the installation of the required dynamic DLL-libraries and JavaScript-objects on the compromised computer. After installing Google Chrome in a special extension, it has begun to monitor all websites visited by the user, trying to keep track of the web resources of Brazilian financial institutions. Once the user has logged into an account on one of these resources, its authentication data sent to the server immediately intruders.

 To send chosen an unusual way - the cybercriminals exploit vulnerabilities in the configuration of a server belonging to the Brazilian government. Vulnerability in Server settings allow hackers to use the account gov.br e-mail to forward emails with him on two different account e-mail, belonging to one of the the most commonly used email services.

Through this plugin account gov.br attackers sent two letters: one signaled a new infection while the latter asks the user authentication in online banking system. Malicious scripts contain a list of the various banking domains, and, if the user visits one of them needed to authenticate the data were preserved and sent to the email address of the attackers. Today, e-mail accounts have been blocked, and the vulnerability of the server that was used by attackers to obtain account gov . br, was closed.

      edit