A new online banking malware, which was found in Operation Emmental, has now been causing problems in Japan.
TROJ_WERDLOD, a new detected malware, has been causing problems in the country since December 2014. More than 400 systems were affected by the new malware.
According to Hitomi Kimura, a security specialist at TrendMicro, the malware can change two settings which allow information theft at the network level.
It does not require a reboot or any memory-resident processes on the affected systems.
Kimura wrote on a blog that one of settings gets modifies in the system’s proxy settings. The attackers controls the way from Internet traffic to a proxy. And the second is the additional malicious root certificate to the system’s trusted root store. It allows malicious site certificates which are added in man-in-the-middle attacks to be used without triggering alerts or error messages.
He wrote that the TROJ_WERDLOD harms users via spam mails with an attached .RTF document. The document said to be an invoice or bill from an online shopping site. If anyone opens the .RTF file, the user gets instruction to double-click the icon in the document in order to execute the TROJ_WERDLOD in the system.
|Spam mail which leads to TROJ_WERDLOD. Photo Courtesy:TrendMicro|
According to him, the hackers used a fake certificate and proxy in Operation Emmental. They also used fake mobile apps in order to steal SMS messages from online banks. It seems that the same behavior may be seen in the future in Japan, although Japanese banks rarely use SMS authentication.
Kimura suggested that in order to restore an infected PC to its normal condition, the following steps should be taken:
- 1. Remove the proxy automatic setting in Windows and Firefox and if anyone has an option provided by the ISP and/or system administrator, he/she can change it back to the previous setting.
2. Remove the malicious root certificate installed by TROJ_WERDLOD which was stored in Windows and Firefox. This malicious root certificate has the following signature:
· A134D31B 881A6C20 02308473 325950EE 928B34CD