This is the third installment in a three-part series on the AVLay RAT discovered by IBM X-Force. Parts one and two explained how the researchers reverse engineered the malware. This installment will demonstrate how X-Force gained control of AVLay and fully simulated the overlay attack in its labs.

To simulate AVLay attacks in our labs, we began by creating our own Python server to listen to incoming connections from the Brazilian Delphi-based malware. This server was designed with similar encryption and parsing layers as the AVLay malware itself, allowing us to decrypt the incoming messages and forge messages that the malware client could understand and execute. This was the first step in gaining control over AVLay’s functionality.

Our Python server also requested and parsed screenshots sent by AVLay from remote devices and displayed them via graphical user interface, which allowed us to control it in the same manner as a standard remote session tool would allow.

Since we had the server in place, we were able to test the various command-and-control (C&C) commands available in the code and see how they work.

Simulating a Remote Access Trojan (RAT) in Our Labs

AVLay targets a variety of online banking and other financial applications. In our lab demo, we focused on a cryptocurrency trading platform in Brazil. The image below shows our Python server displaying the view of the victim’s desktop. The terminal is displaying the commands that we implemented in our server.

Figure 1: Our Python server showing screenshots from the victim’s machine (Source: IBM Security)

AVLay does have additional commands for controlling a victim’s machine that are not mentioned in this article, including commands to enable and disable the keylogger, self-terminate the malware process, create custom overlay forms by selecting parts of the window, and more.

The Overlay

The core functionality of the AVLay malware is its ability to launch an overlay attack. This capability relies on the FRAMEFZSYS command for activating overlay screens and FRAMEUFSYS for hiding them.

When the overlay is active, it blocks the victim from accessing the application they were using and takes control of the device. The attacker, who can see the windows underneath the overlay, takes advantage of the remote access capability to launch mouse clicks, or uses the keyboard to control the machine over the network. This can enable the attacker to log in to the targeted bank’s site and initiate fraudulent transactions.

The image below shows the view on a victim’s machine when an overlay is activated:

Figure 2: Victim’s view when the overlay is activated and control over the machine is blocked (Source: IBM Security)

The image below shows the view from the attacker’s device while controlling the victim’s session:

Figure 3: Attacker’s view when the overlay is activated and the attacker has full remote control over the machine (Source: IBM Security)

Two-Factor Authentication Bypass

AVLay has some active screens built in that are designed to require two-factor authorization (2FA) codes. With a single command — COINP1 or COINP2 — an attacker can swiftly adjust the overlay to require additional fields as needed for various transactions.

The malware also has a built-in keylogging feature that can be turned on using the EDKLSYS command. The following two AVLay images show web forms that can be used in fraud attacks:

Figure 4: Fake window for bypassing 2FA via email verification (Source: IBM Security)

Figure 5: Fake window for bypassing 2FA via Google Authenticator (Source: IBM Security)

Fake Chat Window for Real-Time Lies

A recent feature that enables fraudsters to chat with victims in real time was added to AVLay as an additional channel for live social engineering.

The rogue chat window appears to originate in the fake page, and since that page looks like the bank’s page, some users may be duped into communicating with the criminal as their account is being taken over.

AVLay’s chat function uses the OPENCSYS command and is kept hidden by CLOSCSYS. The attacker can manipulate the victim by sending chat messages using the TEXTCSYS command.

Figure 6: Fake chat window as an additional channel of social engineering (Source: IBM Security)

Break One, Stop Many

In this three-part series, we demonstrated a use case for creating a server to control a Brazilian Delphi malware by reverse engineering it. While we demonstrated it with the AVLay malware, the methods and tools we used here can be reused to analyze other malware families in Latin America.

By fully controlling malware that plagues a large user base, we can better understand its underlying abilities and counter them.

Learn how to protect yourself and your customers from fraud

More from Malware

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…

The Ransomware Playbook Mistakes That Can Cost You Millions

If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing to rise since. Focusing on the extortion price of these attacks, the cost of a ransomware attack can appear finite…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti group), who are not known to have had a previous connection with Ramnit. This year has so far proven tumultuous…