Exploit This

Security News, Exploits, and Vulnerabilities.

The Rush for Windows 10 Infects PCs with Spy Trojan

no-image

Due to the high demand for Windows 10, Microsoft is releasing it gradually. This especially applies to certain countries. The official Microsoft Brazil website confirms it (left image). Cybercriminals from Brazil have taken advantage of this and are running a spam campaign identical to the official design offering a fake option for users to “get your copy now”. (right image)

win_1

When the victim clicks on “Instalador Windows 10″ (Windows 10 Installer), it downloads to the system encoded VBE script:

win_2
win_3

This is a base64 encoded script, using legit Motobit software for encoding:

win_4

Once running, it drops the main trojan-spy component into the system. They also use funny Brazilian portuguese slang right inside of the code.

win_5

The dropped main banker module contains functionality to steal data from keystrokes and the clipboard. Additionally, it has backdoor capabilities for remote sessions and several anti-VM, debugging techniques.

Kaspersky Anti-Virus detects the initial VBE script as Trojan-Downloader.VBS.Agent.aok

Recently we noticed a big increase of VBS/VBE malware in Brazil, my colleague Fabio Assolini is working on a blogpost about a VBE malware widely spread in Brazil now.

Leave a Reply

%d bloggers like this: