Bayrob Trojan is controlled from Amazon server

ESET company is warning users about significant rise in malware Bayrob activity recently. Cyber criminals have been using it for stealing personal data including financial credentials.

Cyberthieves distribute Bayrob through bulk e-mail. The baiting incoming message is trying to impersonate Amazon, and its attachment contains a ZIP archive with executable file.

That’s a malicious file, and if we run it, an error message appears on the screen thus putting off our guard. At the same time, the trojan starts operating as a backdoor: cyber criminals obtain credit card information. The embedded keylogger enables them also to reach online banking credentials (logins and passwords).

With the purpose to get this data, the malware addresses the remote server, downloads other malicious programs, runs executable files and then sends the collected information to the attackers.

To contact the remote server, Bayrob can generate various URLs. One of them is registered by Amazon’s branch in Japan. Apparently, the attackers use the server that belongs to the Amazon Web infrastructure to control and send commands to the infected machines. This fact, though, does not necessarily mean that the whole Amazon platform has been compromised – the suspected server could be officially rented by third parties.

Since late 2015, Bayrob trojan has been extensively used for cyber attacks targeting users in Europe, South Africa, Australia and New Zealand.