Trojan-Banker.Win32.Banbra

Detect Date 06/28/2016
Class Trojan-Banker
Platform Win32
Description

This malware family is designed to steal personal information from the clients of Brazilian banks. Methods and technologies used by this malware are generally crude. Written in Delphi or .NET, the malware uses fraudulent forms to obtain the information necessary for bypassing two-factor authentication.

One example of this malware family is the Telax banking Trojan. The main Telax module is written in Delphi and is approximately 12 MB in size. The Trojan loader is written C#, with a size of under 500 KB. The Trojan is capable of performing simple commands received from the control server, such as controlling the mouse, pressing a key combination in an open window, deleting itself, and restarting the computer. Data from the user’s computer is transmitted via a POST request without encryption. Request parameters are named in Portuguese:

  • ID_MAQUINA – computer ID
  • VERSAO – Trojan version
  • WIN – operating system
  • NAVEGADOR – browser executable file
  • PLUGIN – plug-in name
  • AV – name of installed anti-virus software

Geographical distribution of attacks by the Trojan-Banker.Win32.Banbra family

banbra
Geographical distribution of attacks during the period from 28 June 2015 to 28 June 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Brazil 56.89
2 Russian Federation 14.09
3 Austria 7.93
4 Switzerland 2.33
5 India 2.30
6 Germany 1.42
7 Turkey 1.42
8 China 1.38
9 Ukraine 1.22
10 USA 0.92

* Percentage among all unique Kaspersky users worldwide attacked by this malware