Telax Banking Trojan
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 90 % (High) |
| Infected Computers: | 12 |
| First Seen: | December 11, 2015 |
| Last Seen: | January 25, 2020 |
| OS(es) Affected: | Windows |
The Telax Banking Trojan is a banking Trojan that takes advantage of Google Cloud Servers as part of its attack. The new Telax Banking Trojan is specifically designed to target Portuguese speakers located in Brazil. This infection uses Google Cloud Servers to host the initial part of the Telax Banking Trojan downloader, which enters the victim's computer and installs the Telax Banking Trojan itself. Brazil, historically, has been one of the top targets for these types of banking Trojans and similar attacks.
Table of Contents
The Consequences of a Telax Banking Trojan’s Attack
The Telax Banking Trojan is initially distributed using social engineering tactics, such as offering free software and coupons that may be distributed using social networks such as Twitter and Facebook, where shortened URLs may distribute the Telax Banking Trojan downloader. Using bit.ly, an online URL shortening service, third parties may hide the Telax Banking Trojan URL, leading to a threatening COM or EXE file hosted on a Google Cloud Server. Because of this, computer users should learn how to spot common tactics on social networks. They also should avoid these types of free software or coupon offers, which may be part of social engineering hoaxes used to distribute the Telax Banking Trojan and similar components. The vast majority of the Telax Banking Trojan victims are located in Brazil. This may occur because the initial social engineering attack is in Portuguese, and designed to entice computer users from this region specifically. However, this attack could be easily adapted into other languages so as to target different parts of the world.
Dissecting the Telax Banking Trojan Infection
The Telax Banking Trojan is a Delphi executable file that is designed to collect online banking credentials. When the Telax Banking Trojan is executed, it injects corrupted code into the vbc.exe (Visual Basic Complier) memory process. The Telax Banking Trojan will first make sure that it is not running on a sandbox or virtual environment, so as to avoid being studied by PC security researchers. Once the Telax Banking Trojan is executed, it may use rootkit techniques to remain persistent and undetectable on the victim's computer. It's this part of the attack that makes the Telax Banking Trojan particularly threatening when compared to other banking Trojans. The Telax Banking Trojan has a modular design that allows third parties to modify the Telax Banking Trojan to their needs. Known modules include components designed to interfere or disable known anti-virus programs, install other threats and enable rootkit functions. Once the Telax Banking Trojan is installed, it allows third parties to gain full access to the victim's computer. The Telax Banking Trojan also establishes communication with a Command and Control server. The Telax Banking Trojan displays fake versions of banking websites, including components for displaying bogus two-factor authentication screens.
Protect Yourself from the Telax Banking Trojan If You are Brazilian
There is no question about it; the Telax Banking Trojan is specifically designed to target Brazilian computer users. New versions of the Telax Banking Trojan are being released regularly to abuse the Google Cloud Servers to host their payload. The latest version of the Telax Banking Trojan as of the writing of this report is 4.7. The Telax Banking Trojan does not use vulnerability exploits or exploit kits for its attack, relying completely on social engineering tactics by tricking inexperienced computer users into downloading and executing the corrupted files themselves. Because of this, anti-virus programs and similar components are not as effective in preventing the Telax Banking Trojan infections as with other threats. The best way to prevent aTelax Banking Trojan attack is education, ensuring that computer users learn how to spot social engineering scams on Facebook and Twitter.
