Security Researchers Warn Users Of Win32/Bayrob Trojan

• Win32/Bayrob trojan has been intensely targeting users since mid-December 2015

• Cyber criminals behind the attack seek financial benefits: they look for debit and credit card details, online banking login and password

• So far attackers have focused mainly on Europe, South Africa, Australia and New Zealand with Germany and Spain being two of the countries most affected

Following the security alert from ESET, a global security software provider, ESS Distribution, the leading provider of security software, data backup and recovery solutions in India, warns Internet users of a new cyber threat aiming at users’ financial data – Win32/Bayrob Trojan.

Win32/Bayrob has been intensely targeting several countries since the middle of December 2015. The malware is distributed via malicious attachment in an email trying to impersonate Amazon. ESET’s Josep Albors detailed the nefarious activities of the Bayrob trojan in ESET official blog: http://www.welivesecurity.com/2016/01/28/application-not-compatible-bayrob-may-be-stealing-your-info/

According to Albors, Win32/Bayrob is distributed using a classic attack vector: for example, as a malicious attachment in an email. In some cases, the emails are pretender to be from Amazon (however, the sender’s email address reveals that do not belong to Amazon).

The e-mails may have a ZIP file attached with an executable file, which turns out to be a malware file. If user runs it, it may take malicious actions on the system while showing the following error message to make the victim believe that he or she downloaded a file that cannot be used on the system.

According to ESET researches, one of the feature of Win32/Bayrob is that it can generate various URLs in addition to the one used to contact the remote computer controlled by the attackers. Some of the URLs found by researchers belongs to Amazon Japan which could be related to the fact that the attackers might be using a rented server to control and send commands to the infected machines that belong to the Amazon Web Services infrastructure. However, this does not mean that any Amazon server has been compromised but suggests that the criminals behind this campaign are using (and paying for) an existing web service infrastructure provided by Amazon Japan, Josep Albors notes.

“Although Win32/Bayrob detection was high in Europe but not in Asia, users should be aware of such threats,” Zakir Hussain, Head of ESS Distribution said. “As a security solution provider we encourage users to pay more attention to what they browse online or download from the Internet or email. Even sophisticated attacks can be recognized and avoided this way.”

According to ESET Virus Radar, a real-time threat-monitoring site, Indian users were not exposed to Win32/Bayrob threat extensively. The most common threats in India are Win32/Bundpil worm, Win32/Sality virus, LNK/Agent.BZ and LNK/Agent.BS trojans as well as INF/Autorun, the most common variety of malware using the autorun.inf file as a way to compromise a PC.