There is a new banking trojan going around that uses Microsoft PowerShell to alter a computer's local proxy settings in order to redirect users to the wrong server when trying to access a banking portal.
Banking trojans have hijacked computer proxy settings for years. This is how some of them operate. The difference is that they used local PAC (Proxy Auto-Config) files to achieve this, which they silently installed on infected hosts.
Security researchers from Kaspersky Lab say they've now detected a new trojan, which they named
Trojan-Proxy.PowerShell.Agent.a, that uses PowerShell, a task automation utility included by Microsoft with its Windows OS, which was
recently open-sourced for both Linux and Mac.
Trojan delivered as PIF files in spam email attachments
This particular banking trojan currently targets only Brazilian financial institutions and is distributed as a PIF file via email spam claiming to be receipts from mobile operators.
