The attack starts with a spoofed email which claims to be from the Ministry of Finance in Turkey (FROM: “MALIYE BAKANLIGI”<bilgi@maliye.gov.tr>). Below is the translated email (courtesy of Google translate):
The RAR archive attachment which seems to include the list of cars for sale, actually contains a file with a .com extension. The fact that the list of vehicles for sale is in the ‘.COM’ file and not in the form of a document file is suspicious and should alert most users, but the senders are counting on those users that open it anyway.
When the file is executed, it installs a banking Trojan on the system. It creates the following files that are used to capture keystrokes and take snapshots which we detect as W32/Banker2.NT:
- %systemdir%javascheds.exe
- %systemdir%driversie_plugin.exe
The Stolen information was then uploaded to the FTP site “ftp.winsystem9—–pic.de”.
We tested the effectiveness of the Trojan by accessing a Turkish banking site. This is the images that would be uploaded by the Trojan to the FTP site along with the keylogger text file.