New Banking Trojan MnuBot Discovered by IBM X-Force Research

IBM X-Force Research has uncovered a new Brazilian, Delphi-based malware active in the wild in a recent campaign. This malware, dubbed MnuBot, caught the team’s attention due to its unusual command and control (C&C) server.

Most malware in the wild today uses a C&C server, which is based on some form of a web server or an Internet Relay Chat (IRC) channel. The C&C server is used to communicate with the malware and send commands to be performed.

In contrast, the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.

C:\Users\lusky\Desktop\Ayabot blog\picbkp\pics.png

Figure 1: To simulate MnuBot activity, we created a replica of the MS SQL DB. This shows a table with a list of infected machines and the configuration they have received.

Read the white paper: Cybercrime Shifts of 2017 and What to Expect in 2018

MnuBot Two-Stage Attack Flow

MnuBot is built from two base components, each representing a different stage of the attack flow. In its first stage, MnuBot looks for a file called Desk.txt within the AppData Roaming folder.

Depending on whether the file exists or not, MnuBot performs the following:

  • If the file doesn’t exist, MnuBot creates the file, creates a new desktop and switches the user workspace to that newly created desktop. This desktop runs side by side to the legitimate user desktop.
  • If the file exists, MnuBot does nothing.

Using the Desk.txt file, MnuBot knows which desktop is currently running. Therefore, if the file exists, MnuBot knows that its current instance is running inside the new desktop.

C:\Users\lusky\Desktop\Ayabot blog\Figure_2.png

Figure 2: MnuBot runs inside the newly created desktop.

Within the newly created desktop, MnuBot continually checks the foreground window name. Once it finds a window name that is similar to one of the bank names in its configuration, it will query the server for the second stage executable according to the bank name that was found. The downloaded executable is saved as C:\Users\Public\Neon.exe — and it contains the main logic of the attack.

The downloaded executable is actually a remote access Trojan (RAT) that provides the malicious actor with full control over the victim machine, plus other functionalities that are unique to MnuBot.

Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.

Communicating With the Database

Upon infecting the victim machine, MnuBot connects to the C&C server to fetch the initial configuration. To connect to the server, MnuBot uses SQL server details (server address, port, username and a password), which are hardcoded inside the sample.

It’s worth mentioning that those details are stored in an encrypted form and they are being decrypted dynamically just before initializing the connection to the server.

C:\Users\lusky\Desktop\Ayabot blog\decrypt.png

Figure 3: The decryption of the connection details.

The configuration consists of many strings that are crucial for MnuBot activity:

  • Queries to be performed
  • Commands the malicious actor can send
  • Files MnuBot will interact with
  • Bank websites that are being targeted

Without the configuration, MnuBot will shut itself down and does not perform any malicious activity on the infected machine.

By receiving the configuration this way, MnuBot authors attempt to achieve two main goals:

  • Dynamic configuration: At any time, the cybercriminals can dynamically change MnuBot’s malicious activity (e.g., the banking sites that are targeted).
  • Anti-Research: Once the authors take down the server, it becomes almost impossible for a researcher to reverse engineer the malware sample behavior.

C:\Users\lusky\Desktop\Ayabot blog\configuration.png

Figure 4: A Wireshark network capture of MnuBot fetching the configuration from the C&C server using SQL query.

Committing the Fraud

Once the user has an open browsing session to his banking website account and the second stage executable of MnuBot has been download, the cybercriminal can get to work. At this point, they have an open session to the bank from the victim’s machine.

To perform a successful fraud, the cybercriminal can use each one of the following MnuBot capabilities:

  • Creating browser and desktop screenshots
  • Keylogging
  • Simulating user clicks and keystrokes
  • Restarting the victim machine
  • Creating a form to overlay the bank’s forms and steal the data the user enters into the form

The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.

A few interesting columns include the following:

  • COMP_ ACAO: This column identifies the type of command to be executed.
  • POSICAOMOUSE: In case the command is to simulate a user click, this column will be updated with the cursor position.
  • USER_IMAGEM: This column will be updated with the screenshot BMP image from the infected machine in case a screenshot was requested.
  • VALORINPUT: This column contains the input in case the command was input insertion.

C:\Users\lusky\Desktop\Ayabot blog\commands table.bmp

Figure 5: Updating column COMP_ACAO with the value PrintDesktop sends the malware a command to create a desktop. Afterward, the column USER_IMAGM will be updated with the result.

Overlaying Form

Like many other malware families in the region, MnuBot uses a full-screen overlay form to assist the attacker to commit the fraud. Overlaying forms are used to prevent the victims from accessing their open banking session inside the browser.

Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.

Furthermore, if the cybercriminal needs additional details from the user, they can try and ask them for those details using another overlaying form. To do so, they use the executable that was downloaded during the second stage (Neon.exe) of the attack. This executable contains the relevant social engineering form for the bank that the user is currently using.

C:\Users\lusky\Desktop\Ayabot blog\overlaying1.png

Figure 6: The basic overlaying form.

C:\Users\lusky\Desktop\Ayabot blog\fix.png

Figure 7: A social engineering technique: asking for additional details.

Combatting the Brazilian Financial Malware Landscape

It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic. To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic.

MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.

To successfully compete with the new fraud techniques, new protection mechanisms must be developed. IBM Security develops intelligent enterprise security solutions and services to help your business prepare today for the cybersecurity threats of tomorrow.

Read the white paper: Cybercrime Shifts of 2017 and What to Expect in 2018

Share this Article:
Jonathan Lusky

Malware Researcher, IBM Trusteer

Jonathan Lusky is a malware researcher for IBM Security's Trusteer's group. He holds a Bachelor of Science degree in Computer Science degree with specialization in information security. Jonathan is passionate about reverse engineering, exploitation, cryptography and malware analysis.