Hackers attack PKO BP customers. The Trojan takes control of your computer

Haker przed laptopem, zdjęcie ilustracyjne

CERT Orange Polska warns against the Quasar RAT Trojan campaign. Fake e-mails from PKO BP are a new method of stealing bank customer data.

CERT Orange Polska has detected a new campaign of cybercriminals who use the Quasar RAT malware to attack PKO BP customers. The Trojan allows full takeover of the victim’s computer, including the theft of electronic banking login details. The malware is distributed via fake emails that imitate genuine correspondence from a bank.

How does the Quasar RAT Trojan work?

Quasar RAT (Remote Access Trojan) is a tool that allows remote access to an infected computer. Open source software written in C# is capable of:

  • intercepting passwords saved in browsers,

  • recording keystrokes (keylogger),

  • obtain full access to files and the operating system.

In the latest campaign, the malware is hidden in email attachments that pretend to be PDF documents from PKO BP.

Attack mechanism

The fake e-mails are written in correct Polish and contain a file attachment whose real extension has been cleverly disguised. After the victim opens the file:

  1. The malware connects to the server to download an additional malware payload.

  2. The downloaded file is launched by the InstallUtil.exe system process.

  3. The Trojan installs itself on the system, ensuring its persistence by automatically launching each time the user logs in.

  4. Communication with the control server takes place using domains such as aboushagor.ydns(.)eu, via TCP port 6542.

A real threat to users

CERT Orange Polska warns that the campaign is active and may lead to serious consequences, such as theft of electronic banking credentials and taking full control of the computer.

Experts point out there is a particular risk for customers who use trusted browsers to store login credentials.

How to protect yourself?

CERT Orange Polska recommends:

  • Do not open attachments in emails from unknown senders.

  • Verify suspicious messages directly at the source, e.g. by contacting your bank but using official channels.

  • Use up-to-date antivirus software and exercise caution when online.

Similar Posts