The LoadPCBanker malware is a Banking Trojan that is suspected to be the work of Brazillian hackers. The LoadPCBanker Banking Trojan is known to focus on Brazillian PC users, and the program has not been encountered outside Brazil. The LoadPCBanker malware was discovered on April 23rd, 2019 when computer security analysts noticed unusual URL traffic from trusted Google domains. Threat actors exploited the lax security policies in the File Cabinet that is part of the Google Sites platform. The attackers created a simple site, uploaded a malware dropper in the File Cabinet and produced a URL. The File Cabinet service allows site owners to store documents and files related to their site without showing them on the created site. However, the site owners can generate links to the uploaded files.
Google Sites Exploited to Spread LoadPCBanker
That is how the LoadPCBanker team found a way to circumvent most security scanners. Exploiting the trusted status of the Google Sites domain — https://sites.google.com — the attackers succeeded in deploying a harmful file to unsuspecting users. The first attacks used URLs to a file called 'Reserva_Manoel_pdf.rar' that bears the name of a popular soccer player called Manoel Carvalho. The attackers use the name 'Manoel Carvalho' as it is recognizable among Brazilians and many people are likely to open the proposed file. The RAR archive contains what is presented as a PDF document titled 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.' If you enable Windows Explorer to show file extensions, you may notice that the full name is 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe.' In reality, the users are shown a program file, not a PDF document.
LoadPCBanker Functions as a Spyware and a Banking Trojan
The 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe.' dropper is written in Delphi programming language and delivers three files from a compromised page outside the Google Slides platform. The dropper module writes 'otlook.exe,' 'cliente.dll,' and 'libmySQL50.DLL' to a hidden folder under the AppData directory. The dropper component proceeds to delete logs in the WinINet cache regarding its transmissions and load 'otlook.exe' in the system memory. Once, loaded the process retrieves data from 'cliente.dll,' and 'libmySQL50.DLL' to begin its work. Security researchers warn that LoadPCBanker Trojan may be designed to collect banking credentials from online banking portals, but it is used as spyware primarily.
The LoadPCBanker Trojan monitors the clipboard for credit card numbers, potential passwords, crypto-coin wallet addresses, records screenshots and keyboard input. The malware is configured to download another file called 'dblog.log' from a remote Web page, which contains instructions regarding the command server. The remote command server features an SQL database that is used by the threat actors to store stolen data.
How to Detect the LoadPCBanker Trojan
PC users are unlikely to detect the LoadPCBanker Trojan with normal computer usage. However, they may receive notifications from social media services and email providers about new login locations associated with their Web accounts. Users that suspect their Web accounts may be compromised should take steps to report questionable activity to their service providers and seek to remove devices that may be used to hijack their accounts. Online support teams should help you regain control of your online identity, but you will need to run a complete system scan to remove the LoadPCBanker Trojan from your system.
Do You Suspect Your PC May Be Infected with LoadPCBanker & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like LoadPCBanker as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.