Client Maximus

The Client Maximus is a banking Trojan that modifies the Web-browsing sessions of its victims to facilitate fraudulent financial transactions. Because the Client Maximus, like most spyware, is designed to operate without detection, PC users should protect themselves with appropriate security products that detect similar threats, regardless of the lack of symptoms. Always use anti-malware programs for uninstalling the Client Maximus before taking further actions as recommended by your bank to re-secure any compromised accounts.

Banking Trojans Hitting South America to the Max

Brazil is one of the threatening software industry's preferred targets for deploying banking Trojans, which may collect account credentials or use more sophisticated methods of transferring money from a victim's account to a con artist. However, most specimens are limited in programming sophistication noticeably, when compared to the similar underground industries in Europe and North America. That may be changing with the Client Maximus, a banking-specialized form of spyware that seems to be purpose-built for the customers of Brazilian financial institutions.

The Client Maximus installs itself by exploiting a script vulnerability in Windows machines transitioning into running a corrupted JavaScript function. First, the installer makes multiple checks against common signs of security or AV analysis environments, guaranteeing that the Client Maximus only infects a 'normal' PC. Like similar forms of spyware, once the Client Maximus is operational, it maintains system persistence via a DLL-hijacking function that hides the Client Maximus as part of a process associated with Microsoft, Adobe or VMWare.

The Trojan monitors the user's Web-browsing activities for access to specific websites, although the list of domains under monitoring is obfuscated from analysis by third parties. If it detects that the user is loading a Brazilian banking site, it notifies the remote attacker, who can enable a UI overlay. With this secondary interface, the con artist sends additional requests for confidential information and manipulates the victim into authorizing a fraudulent financial transaction. Other than not being able to be minimized, malware experts conclude that there are limited to no symptoms to indicate that an attack is taking place.

Minimizing the Role of Trojans in Your Online Banking

Although Brazil has been a focal point for banking-oriented spyware for years, the Client Maximus is a potential milestone that shows a ramping up in the quality of the deployed threats' programming. It includes redundant backup functions for responding to different environments, various checks against AV vendors' analytical tools, and a hands-on payload driven by the threat actor abusing his remote access to the infected computer. The most significant symptoms of the Client Maximus attacks are limited to the unusual requests for additional banking information, which threat actors can disguise as being part of the banking institution's security protocols.

The Client Maximus doesn't maintain its presence on an infected PC as a visibly separate application, and any users should rely on their anti-malware solutions for identifying this threat. Infection methods for threats of this type usually model themselves after email attachments, which malware experts usually find crafted to look like invoices, delivery notices or local news articles. Always respond to a potential infection by letting your anti-malware products delete the Client Maximus immediately, and consulting your bank for other steps to take, such as changing a compromised password.

It's the nature of the Trojan industry to adapt itself to the landscape it's attacking. For Brazil, the problems presented by banking Trojans like the Client Maximus only are becoming thornier.

Technical Details