This is the third installment in a three-part series on the AVLay RAT discovered by IBM X-Force. Parts one and two explained how the researchers reverse engineered the malware. This installment will demonstrate how X-Force gained control of AVLay and fully simulated the overlay attack in its labs.

To simulate AVLay attacks in our labs, we began by creating our own Python server to listen to incoming connections from the Brazilian Delphi-based malware. This server was designed with similar encryption and parsing layers as the AVLay malware itself, allowing us to decrypt the incoming messages and forge messages that the malware client could understand and execute. This was the first step in gaining control over AVLay’s functionality.

Our Python server also requested and parsed screenshots sent by AVLay from remote devices and displayed them via graphical user interface, which allowed us to control it in the same manner as a standard remote session tool would allow.

Since we had the server in place, we were able to test the various command-and-control (C&C) commands available in the code and see how they work.

Simulating a Remote Access Trojan (RAT) in Our Labs

AVLay targets a variety of online banking and other financial applications. In our lab demo, we focused on a cryptocurrency trading platform in Brazil. The image below shows our Python server displaying the view of the victim’s desktop. The terminal is displaying the commands that we implemented in our server.

Figure 1: Our Python server showing screenshots from the victim’s machine (Source: IBM Security)

AVLay does have additional commands for controlling a victim’s machine that are not mentioned in this article, including commands to enable and disable the keylogger, self-terminate the malware process, create custom overlay forms by selecting parts of the window, and more.

The Overlay

The core functionality of the AVLay malware is its ability to launch an overlay attack. This capability relies on the FRAMEFZSYS command for activating overlay screens and FRAMEUFSYS for hiding them.

When the overlay is active, it blocks the victim from accessing the application they were using and takes control of the device. The attacker, who can see the windows underneath the overlay, takes advantage of the remote access capability to launch mouse clicks, or uses the keyboard to control the machine over the network. This can enable the attacker to log in to the targeted bank’s site and initiate fraudulent transactions.

The image below shows the view on a victim’s machine when an overlay is activated:

Figure 2: Victim’s view when the overlay is activated and control over the machine is blocked (Source: IBM Security)

The image below shows the view from the attacker’s device while controlling the victim’s session:

Figure 3: Attacker’s view when the overlay is activated and the attacker has full remote control over the machine (Source: IBM Security)

Two-Factor Authentication Bypass

AVLay has some active screens built in that are designed to require two-factor authorization (2FA) codes. With a single command — COINP1 or COINP2 — an attacker can swiftly adjust the overlay to require additional fields as needed for various transactions.

The malware also has a built-in keylogging feature that can be turned on using the EDKLSYS command. The following two AVLay images show web forms that can be used in fraud attacks:

Figure 4: Fake window for bypassing 2FA via email verification (Source: IBM Security)

Figure 5: Fake window for bypassing 2FA via Google Authenticator (Source: IBM Security)

Fake Chat Window for Real-Time Lies

A recent feature that enables fraudsters to chat with victims in real time was added to AVLay as an additional channel for live social engineering.

The rogue chat window appears to originate in the fake page, and since that page looks like the bank’s page, some users may be duped into communicating with the criminal as their account is being taken over.

AVLay’s chat function uses the OPENCSYS command and is kept hidden by CLOSCSYS. The attacker can manipulate the victim by sending chat messages using the TEXTCSYS command.

Figure 6: Fake chat window as an additional channel of social engineering (Source: IBM Security)

Break One, Stop Many

In this three-part series, we demonstrated a use case for creating a server to control a Brazilian Delphi malware by reverse engineering it. While we demonstrated it with the AVLay malware, the methods and tools we used here can be reused to analyze other malware families in Latin America.

By fully controlling malware that plagues a large user base, we can better understand its underlying abilities and counter them.

Learn how to protect yourself and your customers from fraud

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…