Home / malware Trojan.Broluxa
First posted on 16 October 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Broluxa.
Explanation :
The Trojan may arrive as part of a targeted attack which exploits the following vulnerabilities:
CVE-2014-6332CVE-2015-5119
When the Trojan is executed, it creates the following files so that it runs every time Windows starts:
%UserProfile%\Start Menu\Programs\Startup\[FILE NAME].exe%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[FILE NAME].exe
The Trojan downloads a bank URL list from the following remote location:
[http://]luxurybro.co.kr/data/geditor/1501/123[REMOVED]
The Trojan then saves the bank URL list to the following file:
%Temp%\url.txt
The Trojan downloads a browser title list from the following remote location:
[http://]luxurybro.co.kr/data/geditor/1501/456[REMOVED]
The Trojan then saves the browser title list to the following file:
%Temp%\title.txt
The Trojan monitors internet browsers on compromised computers and compares a user's browser URLs or browser titles with its own downloaded lists. If there are any matches, the Trojan creates a new iexplorer.exe process and attempts to open the following phishing pages to steal confidential information:
[http://]fas-go-jp-security.servecounterstrike.com/main[REMOVED][http://]fas-go-jp-security.kensatsutyo.com/main[REMOVED]Last update 16 October 2015
