Home / malware Trojan.Bankrif
First posted on 05 December 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Bankrif.
Explanation :
When the Trojan is executed, it creates the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MyKB" = "[PATH TO MALWARE]"
The Trojan then connects to the following remote location to obtain the command-and-control (C&C) server's IP address: [http://]www.pinterest.com/pin/66217056[REMOVED]
The Trojan may then look for certificate data in the following folders and send this data to the C&C server through File Transfer Protocol (FTP). %ProgramFiles%\NPKI%SystemDrive%\Documents and Settings\All Users\Application Data\LocalLow\NPKI
Next, the Trojan downloads a malicious script and injects it into web pages displayed through web browsers. This script is designed to steal banking information from the following websites: kbstar.comwooribank.combanking.nonghyup.comhanabank.commybank.ibk.co.krwww.ibk.co.krbanking.shinhan.com
The Trojan blocks access to the following remote location: v3clinic.ahnlab.comLast update 05 December 2014
