Home / malwarePDF  

TrojanProxy:JS/Banker.K


First posted on 23 February 2012.
Source: Microsoft

Aliases :

There are no other names known for TrojanProxy:JS/Banker.K.

Explanation :

TrojanProxy:JS/Banker.K is a JavaScript trojan that runs as a proxy automatic configuration script to intercept communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.


Top

TrojanProxy:JS/Banker.K is a JavaScript trojan that runs as a proxy automatic configuration script to intercept communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.



Installation

TrojanProxy:JS/Banker.K is installed by other malware as a automatic proxy configuration script.



Payload

Steals sensitive information


TrojanProxy:JS/Banker.K monitors user access of the following sites in its effort to steal logon credentials and other sensitive information:

  • www.bradesco.com.br
  • bradesco.com.br
  • www.bancobradesco.com.br
  • bancobradesco.com.br
  • www.real.com.br
  • real.com.br
  • www.bancoreal.com.br
  • bancoreal.com.br
  • www.santander.com.br
  • santander.com.br
  • www.banespa.com.br
  • banespa.com.br
  • www.bancosantander.com.br
  • www.santanderempresarial.com.br
  • santanderempresarial.com.br
  • www.hotmail.com
  • hotmail.com
  • www.hotmail.com.br
  • hotmail.com.br
  • www.msn.com
  • msn.com
  • www.sicredi.com.br
  • sicredi.com.br
  • www.hsbc.com.br
  • hsbc.com.br
  • www.hsbcpremier.com.br
  • hsbcpremier.com.br


If traffic is detected to any of the above listed sites, the trojan redirects the traffic request through a proxy server with an IP address of 74.50.110.214 using TCP port 80. This could result in the possible theft of logon credentials or other sensitive information.



Analysis by Hyun Choi

Last update 23 February 2012

 

TOP