Brolux

Brolux is a Trojan infection designed to target Japanese banks. Brolux has been detected attacking Japanese online banking websites actively. Brolux spreads using two different vulnerabilities. Brolux takes advantage of vulnerabilities in Flash and a vulnerability known as the 'unicorn bug,' an issue with Internet Explorer uncovered in 2014. Brolux is being distributed through a compromised website with adult content. This website may try to install a threatening, signed file that may try to collect the victim's information. Brolux is very similar to another Japanese banking Trojan that was recently active, Aibatook.

How the Brolux Infection Process Works

When the victim attempts to access the adult website associated with Brolux, two exploits attempt to attack the victim's computer: (CVE-2014-6332) and (CVE-2015-5119), targeting Flash Player and Internet Explorer. Ensuring that all software on the affected computer is fully up-to-date with the latest security patches can prevent these vulnerabilities. These vulnerabilities have been active for a while, but can be prevented with good security practices. Brolux uses exploits that are slightly updated versions of these previous types of attacks. Brolux is not being used in conjunction with any popular exploit kits. Rather, the creators of Brolux implemented the exploit itself themselves. This version of the exploit was not obfuscated and was easily observable.

Once Brolux has used these exploits to gain access to the victim's computer, Brolux will download two configuration files. The first of these contains a large list of website addresses for Japanese Internet banks while the second file contains the browser window names for these addresses. Brolux simply monitors the victim's activities until they visit one of these Japanese banking websites. Brolux may affect the most popular Web browsers, including Internet Explorer, Mozilla Firefox and Google Chrome. Once Brolux detects that the victim has visited one of the websites on its configuration lists, Brolux will instead redirect the victim to a phishing website, designed to look like one of these websites so the victim would enter their password and login information into the fake website. The phishing websites associated with Brolux look authentic, asking for login information and asking security questions. Brolux references two important Japanese institutions the Financial Services Agency and the Public Prosecutors Office.

Brolux may be Connected to a Chinese Group or State-Sponsored Attack

Brolux uses a mutex name in Chinese. The phishing website used by Brolux contains numerous writing errors and two entire fields in one of the phishing pages are written entirely in Chinese. One additional clue regarding a Chinese connection is the certificate, which awarded a Chinese company that may be associated with PUPs (Potentially Unwanted Programs) and several threat infections. This certificate is associated with Venik, a Trojan used to targets banks in Korea with a process very similar to the Brolux infection.

Protecting Yourself from Brolux

Malware like Brolux uses simple techniques to collect their victims' financial data. Phishing websites and redirects are the classic way in which banking Trojans work. Computer users can prevent Brolux attacks by ensuring that their software is fully up-to-date, and their security programs are always active. Computer users should activate two-step login procedures and other authentication security measures. Taking extra care during the login process to ensure that the website being used is authentic rather than a phishing copy can alert computer users before their private data and login information become compromised and fall into the hands of con artists.