Trojan that steals banking data targeted at Brazilians, says IBM | Security

Researchers at IBM have discovered a new malware targeted at Brazilian users. MnuBot, as it is called, is a trojan created to steal bank data by constantly monitoring the activities performed on the infected PC. In addition to registering everything typed, the malicious software is able to take a print screen of the computer screen, uninstall programs and even restart the system. All of this can be done remotely, under instructions from the criminal behind the cyber scam.

Another feature of MnuBot is the difficulty of being detected. The malware manages to mask traffic, evading the antivirus installed on the user's computer and preventing authorities from reverse engineering to find out who the perpetrators are.

How to remove a Trojan from the computer?

MnuBot used to steal bank data, alert IBM Photo: Arte / dnetcMnuBot used to steal bank data, alert IBM Photo: Arte / dnetc

MnuBot used to steal bank data, alert IBM Photo: Arte / dnetc

The way MnuBot acts is noteworthy, as it receives commands from a Microsoft SQL server. In contrast, most common Trojans obtain instructions from a web server or IRC. With this, the malicious traffic of the software can go unnoticed by the antivirus installed on the PC, and the user is not notified of the security risk. Another interesting factor is that its construction is quite sophisticated for software developed in the Delphi programming language.

Once installed on the machine, MnuBot can spy on the system completely. He creates a workspace and, from it, is able to monitor which window is in the foreground. When he detects that the victim is about to access a bank's website, he informs the criminal of the action. Then wait for further instructions to steal your bank details.

  • Simulate and monitor clicks;
  • Run keylogger and simulate typing;
  • Take screenshots (print screen);
  • Uninstall applications;
  • Retrieve the latest version of documents;
  • Restart the system

How to know you've been infected

As soon as MnuBot is installed, it searches the PC directory for the "AppData Roaming" folder and, if it is not present, the Trojan creates it without the user knowing it. Thus, the main sign that the computer has been infected is to find a file called "Desk.txt" in that folder.

After this step, MnuBot installs an executable called "Neon.exe", which is located in the C: Users Public Neon.exe directory. This component is responsible for allowing the criminal to have remote access to the victim's computer.

IBM did not provide further details on how the Trojan is spreading among users. The general recommendation is to avoid downloading files sent by attachment in email and clicking on addresses sent by strangers. In addition, it is worth remembering to keep the antivirus and operating system always up to date for greater security.

Via Security Intelligence and Bleeping Computer

How to remove virus from PC? Take your questions in the dnetc Forum.

How to remove virus from flash drive

How to remove virus from flash drive