Brazilian banking Trojan disguised as Microsoft anti-virus software


A Trojan (identified as Trojan-Downloader.Win32.VB.aoff) is targeting Windows-based systems by removing built-in AV software and clearing a path for cybercriminals to silently steal online banking credentials. The Trojan affects 'ntldr' the default boot loader in Windows.The Trojan is propagating as an attachment on an email. This attack vector relies on the victim clicking on the malicious link which then downlaods two malicious files from AWS. The malicious files are "xp-msantivirus" and "xp-masclean" which worm their way to the bootloader(ntldr). The malicious files replace the bootloader file with a malicious version of GRUB and ntldr then boots into Linux or UNix to remove a common Brazilian banking plug-in while at the same time removing the in-built Microsoft security software. This action occurs as the computer starts up and automatically erases itself so the victim has no idea their Windows PC is infected.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023