Select Page

Cyren Security Blog

Turkey Ministry of Finance vehicle sale – leads to banking Trojan

The attack starts with a spoofed email which claims to be from the Ministry of Finance in Turkey (FROM: “MALIYE BAKANLIGI”<[email protected]>). Below is the translated email (courtesy of Google translate):

The RAR archive attachment which seems to include the list of cars for sale, actually contains a file with a .com extension. The fact that the list of vehicles for sale is in the ‘.COM’ file and not in the form of a document file is suspicious and should alert most users, but the senders are counting on those users that open it anyway.

When the file is executed, it installs a banking Trojan on the system. It creates the following files that are used to capture keystrokes and take snapshots which we detect as W32/Banker2.NT:

  • %systemdir%javascheds.exe
  • %systemdir%driversie_plugin.exe

The Stolen information was then uploaded to the FTP site “ftp.winsystem9—–pic.de”.

We tested the effectiveness of the Trojan by accessing a Turkish banking site. This is the images that would be uploaded by the Trojan to the FTP site along with the keylogger text file.

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...