Trojan-Proxy.PowerShell

Trojan-Proxy.PowerShell is a banking Trojan that uses Powershell to change the settings on the victim's Web browser. Trojan-Proxy.PowerShell targets the Internet Explorer's settings, ensuring that it can take money from the victim. Trojan-Proxy.PowerShell seems to be targeting only Brazilian banks at the moment. PC security analysts strongly advise computer users that have interactions with Brazilian banks to take extra steps to protect their computers with the help of a reliable, fully updated anti-malware program.

Trojan-Proxy.PowerShell Uses Microsoft Powershell to Change Your Settings

Trojan-Proxy.PowerShell is a new banking Trojan, first observed in the summer of 2016. Trojan-Proxy.PowerShell will use the Microsoft Powershell to make changes to the infected PC's local proxy settings. By doing this, Trojan-Proxy.PowerShell can redirect computer users to a different server, which will display bogus versions of their bank's Website. This allows con artists to gather the victims' online passwords, which can then be used to take money from compromised bank accounts. Changing the infected computer's proxy settings is one of the most common tactics used by banking Trojans. This strategy has been part of the arsenal of most banking Trojans for several years now. However, to carry out these attacks, banking Trojans would have to install PAC files (Proxy Auto-Config) on the infected computer. In the case of Trojan-Proxy.PowerShell, the attack method is different. Trojan-Proxy.PowerShell uses the Microsoft Powershell to change the settings. Powershell is a utility used for the task automation on Microsoft Windows. It was released as open source for both Mac and Linux recently. Using this task automation utility, Trojan-Proxy.PowerShell can change the victim's proxy settings without needing to install PAC files on the infected computer.

How Trojan-Proxy.PowerShell may be Delivered

Trojan-Proxy.PowerShell is being distributed by including it as an attachment in certain spam email messages. Trojan-Proxy.PowerShell is delivered in a PIF file. The email messages used to distribute the corrupted files containing Trojan-Proxy.PowerShell claim that the PIF file attachment is a receipt from a mobile phone company. When victims open the compromised email attachment, the installed Trojan will start Powershell and change the Internet Explorer's local proxy settings. Computer users using other applications apart from Internet Explorer will also be affected by Trojan-Proxy.PowerShell. This happens because of all major Web browsers, except for Mozilla Firefox, use Internet Explorer's proxy settings to configure their own Internet connections. Because of this, when computer users try to connect to their online banking Website through a Web browser on their operating system, the request will be sent to the threat creators' server, which delivers a fake version of the banking Website that saves the victim's password and account information.

Trojan-Proxy.PowerShell Attacks are Targeting Banks in Brazil Currently

The fake versions of the banking Websites targeted are located on a server in The Netherlands. Currently, at least four Brazilian banks are being targeted by the Trojan-Proxy.PowerShell attack. It is likely that the Trojan-Proxy.PowerShell attack is focusing on these banks specifically because of the Rio Olympic Games. However, the attack may start targeting banks from other countries after Brazil stops being in the world's spotlight. Trojan-Proxy.PowerShell only targets computers where Brazilian Portuguese (PTBR) is set as the operating system's default language.

A variety of threats have increased their activities in Brazil, because of the presence of the Rio Olympics undoubtedly. Some examples include the Sphinx banking Trojan and a Brazilian variant of a banking Trojan known as Panda. PC security analysts advise exercising caution when dealing with any content relating to Brazil while the Olympics are underway and to use a reliable security program at all times.