Banking Trojan impersonates Chrome installer

Brazilian and Peruvian users looking to install Google's Chrome browser are in grave danger of downloading information-stealing malware instead, Help Net Security reports.

"We recently found some suspicious-looking URLs, which suggest that a malicious file named ChromeSetup.exe is hosted in domains like Facebook and Google," Trend Micro researchers warn.

The real danger occurs when the malware implants a file that triggers the victim's Web browser to redirect to a rigged banking site when the user attempts to visit a legitimate banking platform, MSNBC reports.

The Trojan, identified as "TSPY_BANKER.EUIQ", hijacks the user's banking session and displays a dialogue box that reads: "Loading system security", giving victims the impression that they're actually being protected when, in fact, the crooks are picking their virtual pockets.

Adding insult to injury, the Trojan uninstalls GbPlugin, a software plug-in built to protect Brazilian online banking customers. Trend Micro said the malware, which was first spotted in October 2011, is currently being used in the wild and is morphing to evade detection and more effectively fleece its victims.

According to ThreatPost, initially, the Banker malware required three components to be installed separately. Newer samples suggest all three components are now wrapped into one package.

"It looks like this malware is still under development and we may still see improvements in future variants,” said threats analyst Brian Cayanan.