Security researcher spots Amazon Web Services hosting Brazilian malware

According to Dmitry Bestuzhev, the malware's installation code is being distributed on the AWS platform as a screen-saver file that, when it is executed, installs a rootkit that blocks several IT security applications from running.

"The evidence indicates that the criminals behind the attack are from Brazil and they used several previously registered accounts to launch the infection", he says in his security blog.

"Unfortunately after my formal complaints to Amazon, and waiting more than 12 hours, all malicious links are still online and active. It's worth mentioning that more and more criminals use legitimate cloud services for malicious purposes", he adds.

Bestuzhev goes on to say that he hopes that all the malicious links will be deactivated by Amazon soon.

"I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks. Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud", he says.

According to Lucian Constantin of the Softpedia newswire, meanwhile, the Brazilian malware disables a browser security add-on called GBPlugin, which is commonly distributed by Brazilian banks to their customers.

"The malware is designed to steal financial information from nine Brazilian banks and two international ones, login credentials for Microsoft's Live Messenger and digital certificates used by eTokens", says the newswire.

The newswire adds that Brazilian banking malware has been increasing in sophistication during recent months.

As reported by Infosecurity last month, Kaspersky's security researcher Fabio Assolini revealed that his research team has already detected the first rootkit banker created to infect 64-bit systems.

The malware, he said in his blog, was detected in a drive-by-download attack made by Brazilian cybercriminals.

"We found a malicious Java applet inserted in a popular Brazilian website. The attack was made using a malicious applet in such a way as to infect users running old versions of the JRE (Java Runtime Environment) and was prepared to infect users running versions of both 32 and 64 bits systems", he said.

What’s Hot on Infosecurity Magazine?