Turkey Ministry of Finance vehicle sale – leads to banking Trojan

by

The attack starts with a spoofed email which claims to be from the Ministry of Finance in Turkey (FROM: “MALIYE BAKANLIGI”<bilgi@maliye.gov.tr>).  Below is the translated email (courtesy of Google translate):

The RAR archive attachment which seems to include the list of cars for sale, actually contains a file with a .com extension.  The fact that the list of vehicles for sale is in the ‘.COM’ file and not in the form of a document file is suspicious and should alert most users, but the senders are counting on those users that open it anyway.

When the file is executed, it installs a banking Trojan on the system. It creates the following files that are used to capture keystrokes and take snapshots which we detect as W32/Banker2.NT:

  • %systemdir%javascheds.exe
  • %systemdir%driversie_plugin.exe

The Stolen information was then uploaded to the FTP site “ftp.winsystem9—–pic.de”.

We tested the effectiveness of the Trojan by accessing a Turkish banking site.  This is the images that would be uploaded by the Trojan to the FTP site along with the keylogger text file.

Go back