New Banking Trojan Uses PowerShell to Alter Internet Explorer Proxy Settings

August 22, 2016

There is a new banking trojan going around that uses Microsoft PowerShell to alter a computer’s local proxy settings in order to redirect users to the wrong server when trying to access a banking portal.

Banking trojans have hijacked computer proxy settings for years. This is how some of them operate. The difference is that they used local PAC (Proxy Auto-Config) files to achieve this, which they silently installed on infected hosts.

Security researchers from Kaspersky Lab say they’ve now detected a new trojan, which they named Trojan-Proxy.PowerShell.Agent.a, that uses PowerShell, a task automation utility included by Microsoft with its Windows OS, which was recently open-sourced for both Linux and Mac.

This particular banking trojan currently targets only Brazilian financial institutions and is distributed as a PIF file via email spam claiming to be receipts from mobile operators.

When the victim is tricked to run this banking trojan, the trojan starts a PowerShell instance which moves to change Internet Explorer’s proxy settings.

These settings are extremely important because other apps that don’t have a built-in proxy handler, use this configuration. All major web browsers outside Firefox use the IE proxy settings as their default Internet connection settings.

This means that if the user tries to access a banking portal through one of the affected browsers (IE, Edge, Chrome, Opera, Vivaldi, others), the HTTP request will be intercepted and redirected to the crook’s server, which serves a fake banking portal that collects the user’s credentials.

Banking trojan targets only Brazilian banks, for now

These websites are hosted on a server in the Netherlands, and at least four Brazilian banks are targeted, according to Kaspersky, which also expects this trojan to spread to other countries as the Olympic Games close.

For now, the trojan is very careful to target only PCs that use PTBR (Brazilian Portuguese) as the computer’s default language.

Besides Trojan-Proxy.PowerShell.Agent.a, other trojans have used the Rio Olympics to ramp up their activity. These are the Sphinx banking trojan and the Brazilian edition of the Panda Banker banking trojan, both detected by IBM X-Force earlier this month.

Read full story…