On the morning of Friday August 12th, ESET
researchers noticed a huge outbreak of a new Spy.Banker variant, detected as Spy.Banker.ADEA. It happened at around 12pm CET.
This new variant is similar to previous ones used
by other banking trojans in South America. During execution, the malware checks
if the system’s settings are in Portuguese and proceeds with the injection of
the banker’s payload.
The banking trojan spreads along with two modified
versions of a popular utility software, which are used to extract usernames and
passwords from browsers (Chrome, Firefox, Internet Explorer, and Opera), as
well as credentials for local email clients like Outlook. For that, it uses
emails with attached files that contain a variant of JS/Danger.ScriptAttachment,
whose purpose is to download and execute other malware in the system.
More details on: