This is the third installment in a three-part series on the AVLay RAT discovered by IBM X-Force. Parts one and two explained how the researchers reverse engineered the malware. This installment will demonstrate how X-Force gained control of AVLay and fully simulated the overlay attack in its labs.

To simulate AVLay attacks in our labs, we began by creating our own Python server to listen to incoming connections from the Brazilian Delphi-based malware. This server was designed with similar encryption and parsing layers as the AVLay malware itself, allowing us to decrypt the incoming messages and forge messages that the malware client could understand and execute. This was the first step in gaining control over AVLay’s functionality.

Our Python server also requested and parsed screenshots sent by AVLay from remote devices and displayed them via graphical user interface, which allowed us to control it in the same manner as a standard remote session tool would allow.

Since we had the server in place, we were able to test the various command-and-control (C&C) commands available in the code and see how they work.

Simulating a Remote Access Trojan (RAT) in Our Labs

AVLay targets a variety of online banking and other financial applications. In our lab demo, we focused on a cryptocurrency trading platform in Brazil. The image below shows our Python server displaying the view of the victim’s desktop. The terminal is displaying the commands that we implemented in our server.

Figure 1: Our Python server showing screenshots from the victim’s machine (Source: IBM Security)

AVLay does have additional commands for controlling a victim’s machine that are not mentioned in this article, including commands to enable and disable the keylogger, self-terminate the malware process, create custom overlay forms by selecting parts of the window, and more.

The Overlay

The core functionality of the AVLay malware is its ability to launch an overlay attack. This capability relies on the FRAMEFZSYS command for activating overlay screens and FRAMEUFSYS for hiding them.

When the overlay is active, it blocks the victim from accessing the application they were using and takes control of the device. The attacker, who can see the windows underneath the overlay, takes advantage of the remote access capability to launch mouse clicks, or uses the keyboard to control the machine over the network. This can enable the attacker to log in to the targeted bank’s site and initiate fraudulent transactions.

The image below shows the view on a victim’s machine when an overlay is activated:

Figure 2: Victim’s view when the overlay is activated and control over the machine is blocked (Source: IBM Security)

The image below shows the view from the attacker’s device while controlling the victim’s session:

Figure 3: Attacker’s view when the overlay is activated and the attacker has full remote control over the machine (Source: IBM Security)

Two-Factor Authentication Bypass

AVLay has some active screens built in that are designed to require two-factor authorization (2FA) codes. With a single command — COINP1 or COINP2 — an attacker can swiftly adjust the overlay to require additional fields as needed for various transactions.

The malware also has a built-in keylogging feature that can be turned on using the EDKLSYS command. The following two AVLay images show web forms that can be used in fraud attacks:

Figure 4: Fake window for bypassing 2FA via email verification (Source: IBM Security)

Figure 5: Fake window for bypassing 2FA via Google Authenticator (Source: IBM Security)

Fake Chat Window for Real-Time Lies

A recent feature that enables fraudsters to chat with victims in real time was added to AVLay as an additional channel for live social engineering.

The rogue chat window appears to originate in the fake page, and since that page looks like the bank’s page, some users may be duped into communicating with the criminal as their account is being taken over.

AVLay’s chat function uses the OPENCSYS command and is kept hidden by CLOSCSYS. The attacker can manipulate the victim by sending chat messages using the TEXTCSYS command.

Figure 6: Fake chat window as an additional channel of social engineering (Source: IBM Security)

Break One, Stop Many

In this three-part series, we demonstrated a use case for creating a server to control a Brazilian Delphi malware by reverse engineering it. While we demonstrated it with the AVLay malware, the methods and tools we used here can be reused to analyze other malware families in Latin America.

By fully controlling malware that plagues a large user base, we can better understand its underlying abilities and counter them.

Learn how to protect yourself and your customers from fraud

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today