March 6, 2019 By David Bisson 2 min read

Security researchers discovered a new fileless malware strain targeting bank customers in Brazil and Thailand with a hacking tool and at least two infostealers.

Trend Micro observed that the malware, detected as Trojan.BAT.BANLOAD.THBAIAI, connects to hxxp://35[.]227[.]52[.]26/mods/al/md[.]zip to download PowerShell codes. It then connects to hxxp://35[.]227[.]52[.]26/loads/20938092830482 to execute the codes and contact other URLs before extracting and renaming its files so they appear to be valid Windows functions. From there, it forces the victim’s machine to restart and creates a lock screen designed to trick the user into providing his or her login credentials.

While it sets to work deleting all its dropped files, the malware downloads two other threats. The first, detected as TrojanSpy.Win32.BANRAP.AS, opens Outlook and sends stored email addresses to its command-and-control (C&C) server. The second, detected as HKTL_RADMIN, lets a digital attacker lock into the system once the user logs off, gain admin privileges and monitor screen activity.

Once the user logs back in after rebooting, the malware also drops a batch file with a command to load Trojan.JS.BANKER.THBAIAI. This Trojan monitors all sites visited by the victim for strings related to banking. When it finds something pertaining to a login session, it collects the information and sends it to its C&C server.

The Rise of Fileless Malware Attacks

The campaign described above comes amid a rise in fileless malware attacks. In an endpoint security report, for instance, Ponemon Institute found that operations involving PowerShell techniques and other fileless tactics accounted for more than 35 percent of all attacks observed in FY 2018. That’s up from 29 percent in FY 2017.

These attacks don’t show any sign of abating, either. Cisco Talos discovered an attack campaign in the beginning of 2019 in which bad actors used a PowerShell command to load Ursnif malware.

How to Defend Against a Banking Trojan

Security professionals can defend their organizations against digital threats like banking Trojans by regularly patching their software for known vulnerabilities. To be successful, it’s important to minimize shadow IT with an updated inventory of assets installed on the network. Additionally, security teams should craft a robust endpoint defense strategy that combines machine learning and threat detection sandboxing to protect against fileless malware attacks.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today