ESET Uncovers Banking Trojan Misusing Government Server and Google Chrome in Brazil

Next story

ESET Research Lab in Latin America has been analyzing an interesting form of banking Trojan that is spreading in Brazil. According to findings of our research, the banking Trojan was spreading using social engineering techniques to infect user’s PC. More interestingly, it used a Brazilian government server to collect the victim's information and has used Google Chrome™ browser plugins to steal sensitive data. Among the data it collected was Brazilian personal ID number, passwords and PIN or 4-digit validation number of cash cards and account numbers. However, thanks to ESET research and co-operation with Brazilian authorities and Yahoo!, this threat is not active anymore.


“In this case, the malicious code used a server without having to infect it, since the server lacked the adequate controls to prevent being misused by a third party. Consequently, the cybercriminal seeked anonymity and tried to access all possible functions provided by legitimate servers in order to dispel any kind of suspicion, given the good reputation of the server,“ says Sebastian Bortnik, Education & Research Manager for ESET Latin America. ESET detects this specific banking trojan as JS/Spy.banker.G.


The malware propagates through an executable using social engineering techniques in order to affect as many users as possible. This executable is a dropper, which is a file that installs (or "drops") other files into the system so that the malware can reach its full operational capabilities. The file analyzed by the ESET Latin America's Research Lab was developed in .NET, the popular Microsoft development framework. “The fact that it uses a Chrome extension for data theft has a direct impact on the victim, since in this case it is no longer the operating system that is being infected, but the browser itself,” ellaborates Bortnik on what the malware does next. These browser extension is vital for the data theft to take place.
Full technical analysis of this malware is available in a paper “What does a banking Trojan, Chrome and a government mail server have in common?” that can be found at WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips.


About ESET

ESET®, the pioneer of proactive protection and the maker of the award-winning NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 25 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32® Antivirus holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET’s NOD32® technology holds the longest consecutive string of the VB100 awards of any other AV vendor. ESET has received a number of accolades from AV-Comparatives, AV-TEST and other organizations. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET® has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries.