Light Dark
May 29, 2018 By Jonathan Lusky 5 min read
Malware
Banking & Finance
Fraud Protection
Threat Intelligence

IBM X-Force Research has uncovered a new Brazilian, Delphi-based malware active in the wild in a recent campaign. This malware, dubbed MnuBot, caught the team’s attention due to its unusual command and control (C&C) server.

Most malware in the wild today uses a C&C server, which is based on some form of a web server or an Internet Relay Chat (IRC) channel. The C&C server is used to communicate with the malware and send commands to be performed.

In contrast, the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.

Figure 1: To simulate MnuBot activity, we created a replica of the MS SQL DB. This shows a table with a list of infected machines and the configuration they have received.

Read the white paper: Cybercrime Shifts of 2017 and What to Expect in 2018

MnuBot Two-Stage Attack Flow

MnuBot is built from two base components, each representing a different stage of the attack flow. In its first stage, MnuBot looks for a file called Desk.txt within the AppData Roaming folder.

Depending on whether the file exists or not, MnuBot performs the following:

  • If the file doesn’t exist, MnuBot creates the file, creates a new desktop and switches the user workspace to that newly created desktop. This desktop runs side by side to the legitimate user desktop.
  • If the file exists, MnuBot does nothing.

Using the Desk.txt file, MnuBot knows which desktop is currently running. Therefore, if the file exists, MnuBot knows that its current instance is running inside the new desktop.

Figure 2: MnuBot runs inside the newly created desktop.

Within the newly created desktop, MnuBot continually checks the foreground window name. Once it finds a window name that is similar to one of the bank names in its configuration, it will query the server for the second stage executable according to the bank name that was found. The downloaded executable is saved as C:\Users\Public\Neon.exe — and it contains the main logic of the attack.

The downloaded executable is actually a remote access Trojan (RAT) that provides the malicious actor with full control over the victim machine, plus other functionalities that are unique to MnuBot.

Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.

Communicating With the Database

Upon infecting the victim machine, MnuBot connects to the C&C server to fetch the initial configuration. To connect to the server, MnuBot uses SQL server details (server address, port, username and a password), which are hardcoded inside the sample.

It’s worth mentioning that those details are stored in an encrypted form and they are being decrypted dynamically just before initializing the connection to the server.

Figure 3: The decryption of the connection details.

The configuration consists of many strings that are crucial for MnuBot activity:

  • Queries to be performed
  • Commands the malicious actor can send
  • Files MnuBot will interact with
  • Bank websites that are being targeted

Without the configuration, MnuBot will shut itself down and does not perform any malicious activity on the infected machine.

By receiving the configuration this way, MnuBot authors attempt to achieve two main goals:

  • Dynamic configuration: At any time, the cybercriminals can dynamically change MnuBot’s malicious activity (e.g., the banking sites that are targeted).
  • Anti-Research: Once the authors take down the server, it becomes almost impossible for a researcher to reverse engineer the malware sample behavior.

Figure 4: A Wireshark network capture of MnuBot fetching the configuration from the C&C server using SQL query.

Committing the Fraud

Once the user has an open browsing session to his banking website account and the second stage executable of MnuBot has been download, the cybercriminal can get to work. At this point, they have an open session to the bank from the victim’s machine.

To perform a successful fraud, the cybercriminal can use each one of the following MnuBot capabilities:

  • Creating browser and desktop screenshots
  • Keylogging
  • Simulating user clicks and keystrokes
  • Restarting the victim machine
  • Creating a form to overlay the bank’s forms and steal the data the user enters into the form

The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.

A few interesting columns include the following:

  • COMP_ ACAO: This column identifies the type of command to be executed.
  • POSICAOMOUSE: In case the command is to simulate a user click, this column will be updated with the cursor position.
  • USER_IMAGEM: This column will be updated with the screenshot BMP image from the infected machine in case a screenshot was requested.
  • VALORINPUT: This column contains the input in case the command was input insertion.

Figure 5: Updating column COMP_ACAO with the value PrintDesktop sends the malware a command to create a desktop. Afterward, the column USER_IMAGM will be updated with the result.

Overlaying Form

Like many other malware families in the region, MnuBot uses a full-screen overlay form to assist the attacker to commit the fraud. Overlaying forms are used to prevent the victims from accessing their open banking session inside the browser.

Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.

Furthermore, if the cybercriminal needs additional details from the user, they can try and ask them for those details using another overlaying form. To do so, they use the executable that was downloaded during the second stage (Neon.exe) of the attack. This executable contains the relevant social engineering form for the bank that the user is currently using.

Figure 6: The basic overlaying form.

Figure 7: A social engineering technique: asking for additional details.

Combatting the Brazilian Financial Malware Landscape

It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic. To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic.

MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.

To successfully compete with the new fraud techniques, new protection mechanisms must be developed. IBM Security develops intelligent enterprise security solutions and services to help your business prepare today for the cybersecurity threats of tomorrow.

Read the white paper: Cybercrime Shifts of 2017 and What to Expect in 2018

 |  |  |  |  | 
Jonathan Lusky
Malware Researcher, IBM Trusteer

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

June 1, 2023

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature