Customers of Japanese banks targeted by the Brolux Trojan

Researchers at ESET have spotted a new strain of banking Trojan dubbed Brolux that is targeting online banking users in Japan.


Once again customers of the Japanese banks have been targeted by a malware, after the recent campaigns based on Shifu, Tsukuba, and Neverquest, now its time for a new threat.

According to the security firm ESET a new malware dubbed Win32/Brolux is infected computers in Japan, threat actors are relying on the Flash Player exploit (CVE-2015-5119) disclosed after the Hacking Team hack and the Internet Explorer flaw "Unicorn" (CVE-2014-6332).

Despite both vulnerabilities have been fixed crooks are still exploiting them to serve malware in the wild, in this case, bad actors are spreading the Brolux banking Trojan through an adult website.

"A banking trojan, detected by ESET as Win32/Brolux.A, is targeting Japanese internet banking users and spreading through at least two vulnerabilities: a Flash vulnerability leaked in the Hacking Team hack and the so-called unicorn bug, a vulnerability in Internet Explorer discovered in late 2014. Both exploits are (still) distributed through an adult website and try to install a signed malicious binary designed to steal personal information from the victim. " states the blog post published by ESET.

The experts noticed that the digital certificate was previously used to sign other malicious codes, in one case it was used to sign the Venik banking Trojan that targeted financial organizations in Korea, and potentially unwanted applications (PUAs).

brolux banking trojan digital certificateThe experts explained that once the victim's machine has been infected the Brolux banking Trojan downloads two configuration files, respectively containing a list of 88 URLs and a list of browser window titles used by Japanese Internet online banking services.

Brolux supports Internet Explorer, Firefox and Chrome browsers.

If the victims use the Internet Explorer, the malware monitors the websites visited by with the browser searching for one of the online banking websites present in the configuration file. If the victims use Firefox or Chrome, the malware compares the window's title with the list from the other configuration file.

When the victims visit one of the targeted banking sites, the Brolux malware created a new process and it present users a phishing page designed to harvest login credentials and other information, such as security questions and answers, email addresses, PINs and payment card data.

"The phishing page asks for login information, as well as answers to security questions. The page tries to use two trusted institutions in Japan: the Public Prosecutors Office and the Financial Services Agency (FSA). The URL mimics both institutions while the page's content refer to the FSA." continues the blog post.

brolux banking trojan

Who is behind this malware campaign?

Evidence collected by ESET suggests the involvement of Chinese crooks, for example the phishing pages contain text written in Chinese, the malware is signed with a certificate issued to a Chinese organization and one of the samples detected by the experts uses a Chinese mutex name.