Pierluigi Paganini May 30, 2018

Researchers at IBM X-Force Research team discovered a new Delphi-based banking Trojan dubbed MnuBot that leverages Microsoft SQL Server for communication with the command and control (C&C).

The MnuBot Trojan implements a two-stage attack flow, it is composed of two main components that are tasked for the two stages.

In the first stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder.

If the file is not present, MnuBot creates it, creates a new desktop and switches the user workspace to that newly created desktop that runs side by side to the legitimate user desktop.

MnuBot continually checks the foreground window name in the new desktop searching for bank names in its configuration, then it will query the server for the second stage executable according to the specific bank name that was found.

The MnuBot implements the following capabilities:

• Creating browser and desktop screenshots
• Keylogging
• Simulating user clicks and keystrokes
• Restarting the victim machine
• Uninstalling Trusteer Rapport from the system
• Creating a form to overlay the bank’s forms and steal the data the user enters into the form

The malware downloads the malicious payload in as C:\Users\Public\Neon.exe, this binary contains the attack logic.

“the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.” read the report published by IBM.

“Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.”

Once the malware has infected the systems, it connects the C&C server to fetch the initial configuration. Experts found SQL server details (server address, port, username, and password) hardcoded inside the malware in an encrypted form.

The configuration also includes:

• Queries to be performed
• Commands the malicious actor can send
• Files MnuBot will interact with
• Bank websites that are being targeted

If the MnuBot malware is not able to access the configuration file it will shut itself down and does not perform any malicious activity on the infected machine.

The MnuBot uses the configuration to dynamically change the malicious activity (e.g., the banking sites that are targeted) and implement anti-research mechanisms.

Every time the attacker wants to send commands to the malware he updates specific columns inside a table stored in a database named jackjhonson.

“The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.” continues analysis.

“A few interesting columns include the following:

• COMP_ ACAO: This column identifies the type of command to be executed.
• POSICAOMOUSE: In case the command is to simulate a user click, this column will be updated with the cursor position.
• USER_IMAGEM: This column will be updated with the screenshot BMP image from the infected machine in case a screenshot was requested.
• VALORINPUT: This column contains the input in case the command was input insertion.”

Like other malware families, MnuBot implements a full-screen overlay form to display victims overlaying forms used to trick them into providing sensitive data.

“Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.” concludes the report.

“MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”

Pierluigi Paganini

(Security Affairs – MnuBot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]