Brolux
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 126 |
First Seen: | October 19, 2015 |
Last Seen: | November 24, 2021 |
OS(es) Affected: | Windows |
Brolux is a Trojan infection designed to target Japanese banks. Brolux has been detected attacking Japanese online banking websites actively. Brolux spreads using two different vulnerabilities. Brolux takes advantage of vulnerabilities in Flash and a vulnerability known as the 'unicorn bug,' an issue with Internet Explorer uncovered in 2014. Brolux is being distributed through a compromised website with adult content. This website may try to install a threatening, signed file that may try to collect the victim's information. Brolux is very similar to another Japanese banking Trojan that was recently active, Aibatook.
Table of Contents
How the Brolux Infection Process Works
When the victim attempts to access the adult website associated with Brolux, two exploits attempt to attack the victim's computer: (CVE-2014-6332) and (CVE-2015-5119), targeting Flash Player and Internet Explorer. Ensuring that all software on the affected computer is fully up-to-date with the latest security patches can prevent these vulnerabilities. These vulnerabilities have been active for a while, but can be prevented with good security practices. Brolux uses exploits that are slightly updated versions of these previous types of attacks. Brolux is not being used in conjunction with any popular exploit kits. Rather, the creators of Brolux implemented the exploit itself themselves. This version of the exploit was not obfuscated and was easily observable.
Once Brolux has used these exploits to gain access to the victim's computer, Brolux will download two configuration files. The first of these contains a large list of website addresses for Japanese Internet banks while the second file contains the browser window names for these addresses. Brolux simply monitors the victim's activities until they visit one of these Japanese banking websites. Brolux may affect the most popular Web browsers, including Internet Explorer, Mozilla Firefox and Google Chrome. Once Brolux detects that the victim has visited one of the websites on its configuration lists, Brolux will instead redirect the victim to a phishing website, designed to look like one of these websites so the victim would enter their password and login information into the fake website. The phishing websites associated with Brolux look authentic, asking for login information and asking security questions. Brolux references two important Japanese institutions the Financial Services Agency and the Public Prosecutors Office.
Brolux may be Connected to a Chinese Group or State-Sponsored Attack
Brolux uses a mutex name in Chinese. The phishing website used by Brolux contains numerous writing errors and two entire fields in one of the phishing pages are written entirely in Chinese. One additional clue regarding a Chinese connection is the certificate, which awarded a Chinese company that may be associated with PUPs (Potentially Unwanted Programs) and several threat infections. This certificate is associated with Venik, a Trojan used to targets banks in Korea with a process very similar to the Brolux infection.
Protecting Yourself from Brolux
Malware like Brolux uses simple techniques to collect their victims' financial data. Phishing websites and redirects are the classic way in which banking Trojans work. Computer users can prevent Brolux attacks by ensuring that their software is fully up-to-date, and their security programs are always active. Computer users should activate two-step login procedures and other authentication security measures. Taking extra care during the login process to ensure that the website being used is authentic rather than a phishing copy can alert computer users before their private data and login information become compromised and fall into the hands of con artists.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.