Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Turkey Ministry of Finance vehicle sale – leads to banking Trojan

The attack starts with a spoofed email which claims to be from the Ministry of Finance in Turkey (FROM: “MALIYE BAKANLIGI”<[email protected]>). Below is the translated email (courtesy of Google translate):

The RAR archive attachment which seems to include the list of cars for sale, actually contains a file with a .com extension. The fact that the list of vehicles for sale is in the ‘.COM’ file and not in the form of a document file is suspicious and should alert most users, but the senders are counting on those users that open it anyway.

When the file is executed, it installs a banking Trojan on the system. It creates the following files that are used to capture keystrokes and take snapshots which we detect as W32/Banker2.NT:

  • %systemdir%javascheds.exe
  • %systemdir%driversie_plugin.exe

The Stolen information was then uploaded to the FTP site “ftp.winsystem9—–”.

We tested the effectiveness of the Trojan by accessing a Turkish banking site. This is the images that would be uploaded by the Trojan to the FTP site along with the keylogger text file.

You might also like

Protect Office 365 Email from Ransomware

Ransomware is continually evolving. It has become the “most prominent malware threat”, with experts estimating that ransomware attacks in 2021 resulted in total damage costs of $20 billion. While there is no ransomware that specifically targets Office 365 data, it can...