Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Turkey Ministry of Finance vehicle sale – leads to banking Trojan

The attack starts with a spoofed email which claims to be from the Ministry of Finance in Turkey (FROM: “MALIYE BAKANLIGI”<[email protected]>). Below is the translated email (courtesy of Google translate):

The RAR archive attachment which seems to include the list of cars for sale, actually contains a file with a .com extension. The fact that the list of vehicles for sale is in the ‘.COM’ file and not in the form of a document file is suspicious and should alert most users, but the senders are counting on those users that open it anyway.

When the file is executed, it installs a banking Trojan on the system. It creates the following files that are used to capture keystrokes and take snapshots which we detect as W32/Banker2.NT:

  • %systemdir%javascheds.exe
  • %systemdir%driversie_plugin.exe

The Stolen information was then uploaded to the FTP site “ftp.winsystem9—–”.

We tested the effectiveness of the Trojan by accessing a Turkish banking site. This is the images that would be uploaded by the Trojan to the FTP site along with the keylogger text file.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...