Catalin Cosoi, Chief Security Researcher at antivirus solutions provider Bitdefender, warns of a new Trojan that robs your bank account.
The new Mousetrap campaign starts with a Java applet that has been injected into a popular website. This malicious applet, disguised as Adobe Flash Player, warns the user that the Flash Player plugin on their computer is outdated and needs an update, but, once executed, the applet downloads and installs another malicious executable file on the machine of the website visitors.
The attackers likely use 0-day vulnerabilities in blogging web applications or brute-force weak administrator passwords to add their code in the header file. The downloaded file, written in Visual Basic and packed with UPX, is saved in a writeable location on the user's machine. It downloads and installs a banker from a list (hardcoded in the downloader) of a dozen available links that lead to different banker Trojans. To ensure automatic launch, the banker creates a shortcut to itself. Each time the system starts, all programs with shortcuts added in that folder are automatically initiated as well including the banker.
Once on the system, the banker updates itself by downloading newer versions from a second list of links. The updates are hosted on multiple servers so that if one is shut down, the rest can still be accessed. The banker Trojan feeds users with a login form and asks them to fill it in. The data entered by the unwary clients is intercepted by crooks and sent to a C&C server to be later on be used in other malicious campaigns.
What to do about it? To avoid this kind of threat, install a good antivirus solution and keep it updated at all times. Never install just any software application suggested in a pop-up, especially if you haven't searched for it.