According to to their findings an analysis of the file ChromeSetup.exe done by Trend Micro's security researchers has verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ. Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.
So far Trend Micro has detected the 3 different binary files have been downloaded from several of the following popular URLs:
- hxxp://br.msn.com/ChromeSetup.exe
- hxxp://www.facebook.com.br/ChromeSetup.exe
- hxxp://www.facebook.com/ChromeSetup.exe
- hxxp://www.globo.com.br/ChromeSetup.exe
- hxxp://www.google.com.br/ChromeSetup.exe
- hxxp://www.terra.com.br/ChromeSetup.exe
"While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware," Cayanan wrote. "We will continue our investigation related to this incident and will update this blog with our findings.
"Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google."
No comments:
Post a Comment
All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.
Thank you
Geek-News.Net