TrojanProxy:JS/Banker.M

TrojanProxy:JS/Banker.M is a JavaScript trojan that intercepts communication between an infected computer and certain online banking websites, resulting in the possible theft of logon credentials or other sensitive information.

Installation

TrojanProxy:JS/Banker.M may be installed by other malware as an automatic proxy configuration script.

Payload

Steals sensitive information

TrojanProxy:JS/Banker.M monitors user access of the following sites in its effort to steal logon credentials and other sensitive information:

• 161.113.4.71
• 170.66.11.10
• 193.32.34.107
• 199.67.180.39
• 200.220.178.3
• 201.20.136.5
• 201.77.87.14
• americanexpress.com.br
• bancobradesco.com.br
• bancoitau.com.br
• bancosantander.com.br
• bb.com.br
• bradesco.com.br
• caixa.com.br
• caixaeconomica.com.br
• cef.com.br
• citibank.com
• citibank.com.br
• credicard.com.br
• hotmail.com
• hotmail.com.br
• hsbc.com
• hsbc.com.br
• hsbcbank.com.br
• hsbcpremier.com.br
• itau.com.br
• itaupersonnalite.com.br
• latinamerica.citibank.com
• login.live.com
• pagseguro.uol.com.br
• paypal.com
• paypal.com.br
• real.com.br
• santander.com.br
• santanderempresarial.com.br
• santandernet.com.br
• santandernetibe.com.br
• serasa.com.br
• serasaexperian.com.br
• sicredi.com.br
• tam.com.br

Please note that this list is not exhaustive.

If the affected user is observed visiting any of the above listed sites, the trojan redirects the traffic request through a specific proxy server, selected by the trojan author. This could result in the possible theft of logon credentials or other sensitive information.

Listed below are known IP address of trojan proxy servers:

• 216.245.220.24 port 1023
• 186.202.61.89 port 80

Analysis by Shali Hsieh