According to the security firm ESET a new malware dubbed Win32/Brolux is infected computers in Japan, threat actors are relying on the Flash Player exploit (CVE-2015-5119) disclosed after the Hacking Team hack and the Internet Explorer flaw “Unicorn” (CVE-2014-6332).
Despite both vulnerabilities have been fixed crooks are still exploiting them to serve malware in the wild, in this case, bad actors are spreading the Brolux banking Trojan through an adult website.
“A banking trojan, detected by ESET as Win32/Brolux.A, is targeting Japanese internet banking users and spreading through at least two vulnerabilities: a Flash vulnerability leaked in the Hacking Team hack and the so-called unicorn bug, a vulnerability in Internet Explorer discovered in late 2014. Both exploits are (still) distributed through an adult website and try to install a signed malicious binary designed to steal personal information from the victim. ” states the blog post published by ESET.
The experts noticed that the digital certificate was previously used to sign other malicious codes, in one case it was used to sign the Venik banking Trojan that targeted financial organizations in Korea, and potentially unwanted applications (PUAs).
The experts explained that once the victim’s machine has been infected the Brolux banking Trojan downloads two configuration files, respectively containing a list of 88 URLs and a list of browser window titles used by Japanese Internet online banking services.
Brolux supports Internet Explorer, Firefox and Chrome browsers.
If the victims use the Internet Explorer, the malware monitors the websites visited by with the browser searching for one of the online banking websites present in the configuration file. If the victims use Firefox or Chrome, the malware compares the window’s title with the list from the other configuration file.
When the victims visit one of the targeted banking sites, the Brolux malware created a new process and it present users a phishing page designed to harvest login credentials and other information, such as security questions and answers, email addresses, PINs and payment card data.
“The phishing page asks for login information, as well as answers to security questions. The page tries to use two trusted institutions in Japan: the Public Prosecutors Office and the Financial Services Agency (FSA). The URL mimics both institutions while the page’s content refer to the FSA.” continues the blog post.
Who is behind this malware campaign?
Evidence collected by ESET suggests the involvement of Chinese crooks, for example the phishing pages contain text written in Chinese, the malware is signed with a certificate issued to a Chinese organization and one of the samples detected by the experts uses a Chinese mutex name.
(Security Affairs – Brolux Banking Trojan, Japan)