Researchers from Kaspersky discovered a Brazilian Java Trojan that spreads via phishing email. Dmitry Bestuzhev explains that he never owned a Playstation but received an email with an attachment with a unusual ways of spreading Trojan bankers via .Jar files ( 14KB).
It appeared to be a strange Trojan because even if a user just clicks on a .jar file, it won’t run unless the user type “java -jar filename.jar” in the console. “however this did not stop Brazilian cyber-criminals and they even managed to spoof our email traps in Japan!” says Dmitry
“Once the trojan infects a victim’s machine, it creates a fake Google Chrome folder where it stores the newly downloaded banker from the mentioned URL. ” Additionally it also sends the infected PC information to a remote server.
“After compress’sing and disassembling the file, you will see the code encrypted with a substation cipher.”
File before decryption :
The substation cypher routine is embedded into the code and this is an example of how it works:
Substituted chars :
Screenshot after decryption:
The 14Kb .jar banker works as a downloader and is detected by Kaspersky Anti-Virus asTrojan.Java.Agent.da
Actual Phishing Email The full article was courteousy from Securelist.com
