Invoice Spam Campaign Drop Banking Trojan

Credit card online

TrendMicro is alerting of a new malware called TROJ_WERDLOD. This is a Trojan horse that is targeting users in Japan. The malware was firstly seen last December 2014 and infected more than 400 machines. This malware is very interesting that it modify victims machine and install a malicious certificate to trick users while browsing the online banking accounts.

TROJ_WERDLOD (Banking Trojan) will directly start working without reboot requirement so it will be enough that user open the malicious file. Next it will hook information stored on infected system memory. The first thing malware will do is to configure victim machine in using external proxy controlled by cybercriminal. The malware will point any browser installed to redirect the traffic to the controlled server. Next the banking Trojan will add fake root certificate to allow attacker perform man-in-the-middle attacks without any error message in the browser and this make victim do not even suspect that there is something wrong on his system.

The same technique has been used in the past on a similar malicious campaign called Operation Emmental. TrendMicro have explained that attacker initiate sending spam messages attaching .RTF document that contain the malicious Trojan. This spam will be distributed and upon executing the malware the virus will modify registry keys that configure the proxy server on victim machine.

Spam email attaching the malicious file by Trendmicro

Spam email attaching the malicious file by Trendmicro

The malware support all browsers including internet explorer, Google chrome and Mozilla Firefox which indicate that the virus have been tested and adapted for any user. When infected system open the bank website he will get a certificate error message due to the fake and malicious certificate installed by the Trojan but the same malware will push yes button to make the operation of changing certificate not noticed by user.

Next the Banking Trojan will start to route the communication with the proxy without any changes on the victim machine to allow cybercriminal have all sensitive information and data from the bank.

To avoid being infected with TROJ_WERDLOD (Banking Trojan) make sure to never open files and emails from non trusted sources , keep your security software definition updated and use the administrator account only for system change that you have already planned and approved.