SolarSys is a new Trojan threat that is being deployed against users located in Brazil. The region of South America and especially Brazil has been registering far more attack campaigns involving banking Trojan payloads than the rest of the world, and SolarSys does indeed have banking Trojan capabilities. As a whole, SolarSys is composed of several harmful components, each tasked with executing a different action on the compromised system.
The first module is designed to further propagate the Banking Trojan by obtaining contact lists from the compromised user's computer and sending phishing emails with malware-laced attachments. The titles of the emails are set to sound important or urgent to catch the attention of the targets. Some users might not suspect that something wrong is going on due to the sender of the emails being someone they know. Upon execution, the attachments will start dropping corrupted payloads through template injections.
The second corrupted module, a part of SolarSys, will attempt to collect credentials from the Google Chrome browser. Among the information obtained by the malware is the user's browsing data, website login credentials, etc.
The final module is the one responsible for grabbing the user's banking information. It is delivered as a file named 'BOM.bin.' The banking Trojan begins scanning the websites visited by the compromised user for a match with its list of targeted banks. It then generates an overlay displaying a fake login page, where the victim is encouraged to input various login credentials that are then exfiltrated to the attackers. Among the banks impersonated by SolarSys are Banco Mercantil, Banco do Nordeste, CrediSIS, Banrisul, Safra, Banco do Brasil, Bradesco, Sicoob, Banco Itaú, Santander, Banco Inter, Banestes, Banpará and other Brazilian banking institutions.