1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Boleteiro Activity 2

System Infected: Infostealer.Boleteiro Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Infostealer.Boleteiro activity on the compromised computer.

Additional Information

The Trojan must be manually executed in order to infect the compromised computer.

When the Trojan is executed, it creates the following files:

%UserProfile%\Application Data\Microsoft\Google\icon.png
%UserProfile%\Application Data\Microsoft\Google\Manifest.js
%UserProfile%\Application Data\Microsoft\Google\Manifest.json


Note: These files create a Google Chrome extension.

The Trojan may modify the following file to include a parameter so the browser will not display a warning about the new extension:

%AllUsersProfile%\Desktop\Google Chrome.lnk


The malicious extension displays normally in the Extensions section of Google Chrome.

The Trojan injects JavaScript code into any page loaded by Chrome.

The Trojan looks for any Boleto displayed by Chrome and attempts to gather the following information:

Value
Payer
Expiring date


Note: Boleto is a check popular in Brazil.

The Trojan sends the stolen information to the following location:

[http://]www.planansa.com.br/site/welcom[REMOVED]


The Trojan modifies the contents of the Boleto based on a response from the server.

Affected

  • Various Windows platforms

Response

It is recommended to perform some of the following actions as a precautionary measure.
Run the Norton Power Eraser. (home users)
Run the Symantec Power Eraser. (business users)
Update your product definitions and perform a full system scan.
Identify suspicious files.
Submit suspicious files to Symantec for analysis.

If you believe that the signature is reported erroneously, please read the following:
Change the behavior of Symantec IPS signatures.
Report a potential false positive to Symantec.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube