Back to Home

Cybercriminals use Win32 / Brolux.A banking Trojan to compromise users in Japan / ESET NOD32 Blog

malware

Cybercriminals use Win32 / Brolux.A banking Trojan to compromise users in Japan

    Recently, our analysts discovered a malicious campaign that used the Win32 / Brolux.A banking Trojan. The campaign targeted Japanese Internet banking users, and its goal was to spread this malware. Attackers resorted to using exploits for two vulnerabilities. The first vulnerability relates to Flash Player software, the exploit for which was located in the leaked data of the Hacking Team, etc. unicorn bug, a vulnerability in Internet Explorer that was discovered at the end of 2014.



    Both of these exploits are still being distributed through an adult website and are trying to install a digitally signed malware executable. The malware itself specializes in stealing the victim’s personal data and online banking data. A similar distribution mechanism reminds us of another banking Trojan, which was also aimed at Japanese banks and financial institutions. It was called Win32 / Aibatook .

    When a user visits a malicious adult website, an exploit will be performed on his system for either a vulnerability in Internet Explorer (CVE-2014-6332) or a vulnerability in Flash Player (CVE-2015-5119). The experimental PoC code for the first vulnerability has been publicly available for some time. For use in their malicious campaign, attackers subjected it to modifications. Working exploit for the vulnerability appeared Flash Player is available in public after the leak data kibergruppy Hacking Team.

    Although the above vulnerabilities have already been included by the authors of exploit kits in their cybercriminal creations, we do not have information that exploit kits were used in this malicious campaign. Unlike the exploits used in the kits, there is no obfuscation for exploits from this campaign. As you can see in the screenshot below, a malicious adult website is trying to compromise visitors, while downloading videos from another, real site.



    The malware payload code uses two configuration files. The first contains a list of 88 URLs of Japanese online banking sites targeted by the Trojan, and the second contains the names of the corresponding web browser windows. Win32 / Brolux.A is a simple trojan that tracks users visiting online banking websites. It supports compromising web browsers such as Internet Explorer, Firefox, and Google Chrome.

    When a user visits a website using Internet Explorer, the malware obtains the current URL and compares it with the list from the configuration file. In the case of Chrome and Firefox, the malicious code will compare the title of the web browser window with the list from the second configuration file. If there is a match, the malware will create a new web browser process that displays the phishing web page. This web page contains a special form that asks the user for information on entering an online banking account, as well as answers to secret questions for entering an account. Attackers try to disguise a web page as a trusted institution in Japan. This institution is either the Public Prosecutors Office or the Financial Services Agency.



    The above web page contains the following suggestions:
    • Please pay attention to possible fraud associated with online banking!
    • The following security measures should be used by the client:
    • To protect the important personal information of the client, the financial services agency specializes in providing services to the bank to increase its protection.
    • Each bank will be required to provide its customers with updated bank cards, as well as information necessary to identify the client.



    This web page contains the following suggestions:
    • Please pay attention to possible fraud associated with online banking!
    • For every bank, there are cases of authentication when secret answers to questions are not required.
    • If you are notified that there is no need to enter a secret phrase, just click "Next" to go to the next field.



    The user is required to enter the following information in the form fields:
    • Personal information:
      • Registration number
      • Secret phrase
      • E-mail address
      • Email Account Password
      • Second PIN
    • We do not use personal information of the user's credit card or other personal information, which is determined by the document on the protection of personal data, 2004 Financial Services Agency Notification No. 67, for those purposes that differ from those stated, as indicated by the Banking Act (Ordinance for Enforcement of the Banking Act).

    It is interesting to note that both Public Prosecutors Office and FSA have published security notifications about this type of fraud.

    The Win32 / Brolux.A sample we analyzed creates a mutex with a Chinese name, it is also signed with the digital certificate indicated below. In addition, the phishing web page itself contains syntax errors and is not completely written in Japanese: the two fields on the third web page (see the screenshot above) are written in Chinese.



    It is interesting to note that this certificate, which was issued to a Chinese company, has been used in the past to sign various potentially unwanted applications (PUAs). Analyzing various samples of malware that came to hand, we found that the principle of another banking Trojan called Venik is very similar to Win32 / Brolux. Venik specializes in modifying the hosts file in the victim OS to redirect the user from legitimate online banking sites to phishing web pages.

    Despite the fact that the Win32 / Brolux malware uses simple tricks in its work, it is another reminder for users that the necessary precautions should be taken when working with online banking. Firstly, Win32 / Brolux uses outdated exploits for its distribution, so users should always be aware of timely updates to their operating system. Users should also monitor the occurrence of additional or strange web forms on the online banking page.

    Read Next