Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss. Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors. The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.
As with a lot of banking trojan campaigns, this one starts with a malicious spam campaign. Here is an example of an email used during this campaign. The attacker used an email written in Portuguese which makes it seemingly more legitimate for the user - receiving email in a native language gives the attackers a higher likelihood of achieving their mission objective, convincing the victim to open the malicious attachment.
The email contains an HTML attachment named BOLETO_2248_.html, a Boleto refers to a type of invoice used in Brazil. The HTML document contains a simple redirection to a first website:
<html> <head> <title>2Via Boleto</title> </head> <body> </body> </html> <meta http-equiv="refresh" content="0; url=http://priestsforscotland[.]org[.]uk/wp-content/themes/blessing/0032904.php">
Redirection, Redirection and… Redirection
The URL contained in the HTML attachment is a first redirect to a goo.gl URL shortener:
A second redirect is performed by the goo.gl URL. This shortened URL points to hxxp://thirdculture[.]tv:80/wp/wp-content/themes/zerif-lite/97463986909837214092129.rar.
Finally, the archive contains a JAR file named BOLETO_09848378974093798043.jar. If the user double clicks on the JAR file, java will execute the malicious code and will start the installation process of this banking trojan.
The first step of the Java code is to setup the working environment of the malware and to download additional files from hxxp://104[.]236[.]211[.]243/1409/pz.zip. The malware is working in the C:\Users\Public\Administrator\ directory which it creates as this is not a default folder. The new archive contains a new set of binaries.
On the last step, the Java code renames the downloaded binaries and executes vm.png (previously renamed):
The first executed binary is vm.png. It's a legitimate binary from VMware and is signed with a VMware digital signature.
One of the dependencies of the binary is vmwarebase.dll:
Python 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import pefile >>> pe = pefile.PE("vm.png") >>> for entry in pe.DIRECTORY_ENTRY_IMPORT: ... print entry.dll ... MSVCR90.dll ADVAPI32.dll vmwarebase.DLL KERNEL32.dll
The vmwarebase.dll is not the legitimate binary but a malicious binary. This technique has been used previously by other actors such as PlugX. The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks.
The purpose of the vmwarebase.dll code is to inject and execute the prs.png code in explorer.exe or in notepad.exe depending on the context of the user account. The injection is performed by allocating memory in the remote process and the usage of LoadLibrary() to load the gbs.png library. The API usage is obfuscated by encryption (AES):
Once decrypted the m5ba+5jOiltH7Mff7neiMumHl2s= is LoadLibraryA and QiF3gn1jEEw8XUGBTz0B5i5nkPY= is kernel32.dll
The main module of the banking trojan contains a lot of features. For example, it will attempt to terminate analyst processes such as taskmgr.exe (Task Manager), msconfig.exe (MsConfig), regedit.exe (Registry Editor) and ccleaner.exe and ccleaner64.exe. This module creates a autostart registry key which attempts to use a legitimate looking name: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vmware Base.
This module is used to get the title of the window in the foreground of the user. The purpose is to identify if the user has a windows with one the following title (these strings are encrypted in the sample):
Navegador Exclusivo Sicoobnet Aplicativo Ita Internet Banking BNB Banestes Internet Banking Banrisul bb.com.br bancobrasil.com Banco do Brasil Autoatendimento Pessoa Física - Banco do Brasil internetbankingcaixa Caixa - A vida pede mais que um banco SICREDI Banco Bradesco S/A Internet Banking 30 horas Banestes Internet Banking Banrisul
This list contains the targeted financial institutions located in Brazil. This trojan leveraged Web Injects to allow them to interact with the banking website. Another task performed by this main module is to execute the last binary: gps.png (renamed previously with the .drv extension) with rundll32.exe:
This library is packed using Themida which has made it significantly difficult to unpack.
The following debug strings were left in the samples analysed by the developer. The strings are in Portuguese:
<|DISPIDA|>Iniciou! <|PRINCIPAL|> <|DISPIDA|>Abriu_IE <|Desktop|> <|DISPIDA|>Startou! <|Enviado|>
These strings are sent to the C2 server when specific actions are performed on the infected system. The C2 configuration is stored in the i.dk plain text file (encrypted in AES 256). This file contains a date, an IP and additional configuration items:
07082017 18.104.22.168 6532
Banking trojans continue to form part of the threat landscape, they continually evolve and also can, like this specific example, be very specific to the region they are attacking. This often doesn't suggest the attackers are from that region but they have decided that there is perhaps less security conscious users living there. Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.
Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
Email Security can block malicious emails sent by threat actors as part of their campaign.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
927d914f46715a9ed29810ed73f9464e4dadfe822ee09d945a04623fa3f4bc10 HTML attachment
5730b4e0dd520caba11f9224de8cfd1a8c52e0cc2ee98b2dac79e40088fe681c RAR archive