Taking Over the Overlay: Reconstructing a Brazilian Remote Access Trojan (RAT)

July 9, 2019
|
co-authored by Limor Kessem, Ofir Ozer
|
4 min read

This is the third installment in a three-part series on the AVLay RAT discovered by IBM X-Force. Parts one and two explained how the researchers reverse engineered the malware. This installment will demonstrate how X-Force gained control of AVLay and fully simulated the overlay attack in its labs.

To simulate AVLay attacks in our labs, we began by creating our own Python server to listen to incoming connections from the Brazilian Delphi-based malware. This server was designed with similar encryption and parsing layers as the AVLay malware itself, allowing us to decrypt the incoming messages and forge messages that the malware client could understand and execute. This was the first step in gaining control over AVLay’s functionality.

Our Python server also requested and parsed screenshots sent by AVLay from remote devices and displayed them via graphical user interface, which allowed us to control it in the same manner as a standard remote session tool would allow.

Since we had the server in place, we were able to test the various command-and-control (C&C) commands available in the code and see how they work.

Simulating a Remote Access Trojan (RAT) in Our Labs

AVLay targets a variety of online banking and other financial applications. In our lab demo, we focused on a cryptocurrency trading platform in Brazil. The image below shows our Python server displaying the view of the victim’s desktop. The terminal is displaying the commands that we implemented in our server.

Figure 1: Our Python server showing screenshots from the victim’s machine (Source: IBM Security)

AVLay does have additional commands for controlling a victim’s machine that are not mentioned in this article, including commands to enable and disable the keylogger, self-terminate the malware process, create custom overlay forms by selecting parts of the window, and more.

The Overlay

The core functionality of the AVLay malware is its ability to launch an overlay attack. This capability relies on the FRAMEFZSYS command for activating overlay screens and FRAMEUFSYS for hiding them.

When the overlay is active, it blocks the victim from accessing the application they were using and takes control of the device. The attacker, who can see the windows underneath the overlay, takes advantage of the remote access capability to launch mouse clicks, or uses the keyboard to control the machine over the network. This can enable the attacker to log in to the targeted bank’s site and initiate fraudulent transactions.

The image below shows the view on a victim’s machine when an overlay is activated:

Figure 2: Victim’s view when the overlay is activated and control over the machine is blocked (Source: IBM Security)

The image below shows the view from the attacker’s device while controlling the victim’s session:

Figure 3: Attacker’s view when the overlay is activated and the attacker has full remote control over the machine (Source: IBM Security)

Two-Factor Authentication Bypass

AVLay has some active screens built in that are designed to require two-factor authorization (2FA) codes. With a single command — COINP1 or COINP2 — an attacker can swiftly adjust the overlay to require additional fields as needed for various transactions.

The malware also has a built-in keylogging feature that can be turned on using the EDKLSYS command. The following two AVLay images show web forms that can be used in fraud attacks:

Figure 4: Fake window for bypassing 2FA via email verification (Source: IBM Security)

Figure 5: Fake window for bypassing 2FA via Google Authenticator (Source: IBM Security)

Fake Chat Window for Real-Time Lies

A recent feature that enables fraudsters to chat with victims in real time was added to AVLay as an additional channel for live social engineering.

The rogue chat window appears to originate in the fake page, and since that page looks like the bank’s page, some users may be duped into communicating with the criminal as their account is being taken over.

AVLay’s chat function uses the OPENCSYS command and is kept hidden by CLOSCSYS. The attacker can manipulate the victim by sending chat messages using the TEXTCSYS command.

Figure 6: Fake chat window as an additional channel of social engineering (Source: IBM Security)

Break One, Stop Many

In this three-part series, we demonstrated a use case for creating a server to control a Brazilian Delphi malware by reverse engineering it. While we demonstrated it with the AVLay malware, the methods and tools we used here can be reused to analyze other malware families in Latin America.

By fully controlling malware that plagues a large user base, we can better understand its underlying abilities and counter them.

Learn how to protect yourself and your customers from fraud

Pavel Asinovsky
Malware Researcher

Pavel is a malware researcher for IBM Security's Trusteer's group. He has been a member of the Trusteer cybercrime labs for more than two years. Prior to tha...
read more