Light Dark
March 6, 2019 By David Bisson 2 min read

Security researchers discovered a new fileless malware strain targeting bank customers in Brazil and Thailand with a hacking tool and at least two infostealers.

Trend Micro observed that the malware, detected as Trojan.BAT.BANLOAD.THBAIAI, connects to hxxp://35[.]227[.]52[.]26/mods/al/md[.]zip to download PowerShell codes. It then connects to hxxp://35[.]227[.]52[.]26/loads/20938092830482 to execute the codes and contact other URLs before extracting and renaming its files so they appear to be valid Windows functions. From there, it forces the victim’s machine to restart and creates a lock screen designed to trick the user into providing his or her login credentials.

While it sets to work deleting all its dropped files, the malware downloads two other threats. The first, detected as TrojanSpy.Win32.BANRAP.AS, opens Outlook and sends stored email addresses to its command-and-control (C&C) server. The second, detected as HKTL_RADMIN, lets a digital attacker lock into the system once the user logs off, gain admin privileges and monitor screen activity.

Once the user logs back in after rebooting, the malware also drops a batch file with a command to load Trojan.JS.BANKER.THBAIAI. This Trojan monitors all sites visited by the victim for strings related to banking. When it finds something pertaining to a login session, it collects the information and sends it to its C&C server.

The Rise of Fileless Malware Attacks

The campaign described above comes amid a rise in fileless malware attacks. In an endpoint security report, for instance, Ponemon Institute found that operations involving PowerShell techniques and other fileless tactics accounted for more than 35 percent of all attacks observed in FY 2018. That’s up from 29 percent in FY 2017.

These attacks don’t show any sign of abating, either. Cisco Talos discovered an attack campaign in the beginning of 2019 in which bad actors used a PowerShell command to load Ursnif malware.

How to Defend Against a Banking Trojan

Security professionals can defend their organizations against digital threats like banking Trojans by regularly patching their software for known vulnerabilities. To be successful, it’s important to minimize shadow IT with an updated inventory of assets installed on the network. Additionally, security teams should craft a robust endpoint defense strategy that combines machine learning and threat detection sandboxing to protect against fileless malware attacks.

 |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 17, 2024

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 15, 2024

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature