Brazilian Encrypted Java Archive trojan banker spreads via Playstation phishing email – Kaspersky

Researchers from Kaspersky discovered a Brazilian Java Trojan that spreads via phishing email. Dmitry Bestuzhev explains that he never owned a Playstation but received an email with an attachment with a unusual ways of spreading Trojan bankers via .Jar files ( 14KB).

It appeared to be a strange Trojan because even if  a user just clicks on a .jar file, it won’t run unless the user type “java -jar filename.jar” in the console. “however this did not stop Brazilian cyber-criminals and they even managed to spoof our email traps in Japan!” says Dmitry

“Once the trojan infects a victim’s machine, it creates a fake Google Chrome folder where it stores the newly downloaded banker from the mentioned URL. ” Additionally it also sends the infected PC information to a remote server.

After  compress’sing and  disassembling the file, you will see the code encrypted with a substation cipher.” 

File before decryption :

brazil_1

The substation cypher routine is embedded into the code and this is an example of how  it works:

brazil-2

Substituted chars :

brazil-3

Screenshot after decryption:

brazil-4

The 14Kb .jar banker works as a downloader and is detected by Kaspersky Anti-Virus asTrojan.Java.Agent.da 

Phishing Playstation

Actual Phishing Email The full article was courteousy from Securelist.com

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>