Trojan-Proxy.PowerShell is a banking Trojan that uses a slightly more different attack method compared to other banking Trojans we’ve seen in recent years. Usually, Trojans of this type work by modifying the Proxy Auto-Config file to redirect users to corrupted websites and phishing pages that may collect their account information. However, instead of doing that, Trojan-Proxy.PowerShell uses the Windows PowerShell to create an automatic task that changes the Internet Explorer’s Proxy Settings. However, the fact that it changes the Internet Explorer’s settings doesn’t mean that only users of this Web browser will be affected! All popular Web browsers except for Mozilla Firefox use these settings, which means that users of Chrome, Opera, and Edge also may be affected by these changes. The modified proxy settings detect when users attempt to visit a particular website that is linked to a banking institution and takes the user to a fake banking portal whose design is the same as the one of the original page. When users enter their credentials on the fake website, they provide cyber con artists with their bank account information unknowingly.

Trojan-Proxy.PowerShell is distributed via spam e-mail attachments, and the version analyzed by malware experts seems to target only Brazilian residents. Its corrupted payload is usually stored in a PIF file that is disguised as a receipt from a mobile operator. When users execute the PIF file, they may unleash Trojan-Proxy.PowerShell on their computers unknowingly, and give it the chance to modify their Internet Explorer’s proxy settings. The Trojan-Proxy.PowerShell checks if the computer’s language is set to PTBR (Brazilian Portuguese) automatically, and only proceeds with the attack if this requirement is met.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]