Home / malwarePDF  

Infostealer.Boleteiro


First posted on 20 September 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Boleteiro.

Explanation :

The Trojan must be manually executed in order to infect the compromised computer.

When the Trojan is executed, it creates the following files:
%UserProfile%\Application Data\Microsoft\Google\icon.png %UserProfile%\Application Data\Microsoft\Google\Manifest.js %UserProfile%\Application Data\Microsoft\Google\Manifest.json
Note: These files create a Google Chrome extension.

The Trojan may modify the following file to include a parameter so the browser will not display a warning about the new extension:
%AllUsersProfile%\Desktop\Google Chrome.lnk
The malicious extension displays normally in the Extensions section of Google Chrome.

The Trojan injects JavaScript code into any page loaded by Chrome.

The Trojan looks for any Boleto displayed by Chrome and attempts to gather the following information:
Value Payer Expiring date
Note: Boleto is a check popular in Brazil.

The Trojan sends the stolen information to the following location:
[http://]www.planansa.com.br/site/welcom[REMOVED]
The Trojan modifies the contents of the Boleto based on a response from the server.

The Trojan displays the following window:

Last update 20 September 2014

 

TOP