In-depth analysis of a trojan banker impacting users in Portugal and Brazil at the end of May 2020.

We are living in an era where criminals are using several strategies to get benefit from several kinds of attacks, including malware. During the past few months, the number of digital threats has increased probably due to the Covid-19 pandemic. Malware have made headlines, and we described three different campaigns reaching users in Portugal last days:

 

On May 29th, 2020, another Trojan active for several months was observed. This Trojan was created to impact users of a particular banking organization in Portugal and Brazil. The URL of the initial installer was initially collected from the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting only Portuguese citizens.

Figure 1: Trojan banker installer downloaded from the Internet and distributed via malscam waves.

 


Filename: Modulo.exe
MD5:
c427af475f4c8570bba5b77b2c6c6493
SHA1: aabc8205b93efd3faa86ec125769f1bb37d257a2


Through the initial analysis of the Modulo.exe file, some interesting indicators can be observed.

File info: Borland Delphi 4.0
Created: 29 May 2020, 02:55 AM ( it was disseminated in the same day )
Modified: 29 May 2020, 02:35 AM ( it was disseminated in the same day )
CompanyName: Banco Santander S.A ( target company )
ProductName: Módulo de Segurança (Security Module, in English)

Figure 2: Details about the malware installer file (Modulo.exe).

 

From Figure 2 must be highlighted that the malware creation and modification data is the same as the malscam campaign disseminated via email in Portugal also on May 29th.

During the malware installation, the following screens are presented on the victim’s computer; where a security module from a specific bank organization is presented to lure the victims.

Figure 3: Malware installer creates and drops the next stage into the victim’s computer.

 

In detail, an LNK file is created on the Windows Startup folder during the installation process.

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Módulo de Segurança.lnk

 

Next, the trojan loader/dropper is dropped onto the  %AppData%\Local\Programs\ModuloX  folder.

C:\Users\admin\AppData\Local\Programs\ModuloX\Xpi.exe

 

Finally, the trojan loader/dropper is initiated on the infected device.

 

Trojan loader/Dropper


Filename: Xpi.exe
MD5: 5aa33141298a5d7143b337cf29bcd66c
SHA1: 0ea85298e4fe5bd901c48a4976fddda063bd915a


This stage is executed after the previous process that installs the security module on the victim’s computer. This new binary is responsible for creating persistence and to execute the final payload (trojan itself).

Figure 4: Trojan loader/dropper installed on the infected device. It executes the next tasks every time it is executed.

 

After dissecting the binary, two files were observed inside it, namely:

  • exec.vbs: A VBS file responsible for injecting the instaj.dll DLL file into the memory (DLL injection technique)
  • instaj.dll: The trojan itself. It is executed via DLL injection via rundlll32.exe.

Figure 5: DLL and VBS file inside the dropper file (Xpi.exe).

 

In detail, the instaj.dll file is dropped into the  %AppData%\Local\Temp  every time the dropper is executed. This DLL has inside the trojan banker source-code (Figure 5 – left side) and is injected in memory via the exec.vbs file also dropped into the same directory (Figure 5 – right side).

C:\Users\admin\AppData\Local\Temp\instaj.dll

 

The VBS file (exec.vbs) is responsible for launching the trojan via DLL injection.

"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\instaj.dll CallFormPrincipal

 

Trojan – final payload


Filename: instaj.dll
MD5: 467ffe52110cc17a42ea7a2da1e1f311
SHA1: 94165f7f3703b9b9fd3f9ec91fa9e0256d995233


When the file is loaded into the memory, it performs several tasks was expected. One of them is creating a persistence mechanism. For that, the VBS file (exec.vbs) path is added to a new registry key named “JavaX“.

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name: JavaX
Value: C:\Users\admin\AppData\Local\Temp\exec.vbs


Figure 6:
Registry key created on “Windows\CurrentVersion\Run” – trojan persistence.

 

The high-diagram this trojan has an interesting path on the right-side as observed below. The program terminates if it detects is running inside a virtual machine.

Figure 7: Trojan malware high-level diagram.

 

This piece of malware is composed of some features, namely:

  • AntiVM mechanism
  • Detects SO version
  • Grab security programs are running (AVs, etc)
  • Have a feature to “disinfects” the device (after a command probably received from C2)
  • Kill the trojan itself from the running processes
  • Computer restart/reboot
  • Keylogger 
  • Checks which browser is running
  • Create overlay windows to collect banking details and send them to the C2 server

 

AntiVM mechanism

The malware terminates its execution if virtual environments are detected on running processes (e.g., Wine, VMWARE, VirtualBox, etc).

Figure 8: AntiVM block of code presents in the malware.

 

If the program is attached to a run-time debug, it falls into the function that freezes the system.

Interesting that, if the user is using a virtual machine to run the malware, the following message box is presented.


Figure 9:
Message box presented when the malware is executed inside a virtual machine.

 

If the infection process continues normally, the malware lists the security products available on the machine and sends them to the C2 server.

Figure 10: Security products collected during the malware execution.

 

The collected information is sent to the C2 following the format below.

Figure 11: Security products details sent to the C2 server following a specific format.

 

Depending on the used OS version, the malware executes the next steps. For that, the OS version is enumerated.

Figure 12: OS version collected during the malware execution.

 

Complete list of OS checked during the execution:

005DC4DC <UString> 'Windows 3.1'
005DC500 <UString> 'Windows 95'
005DC524 <UString> 'Windows 95 OSR 2'
005DC554 <UString> 'Windows 98'
005DC578 <UString> 'Windows 98 SE'
005DC5A0 <UString> 'Windows Me'
005DC5C4 <UString> 'Windows 9x'
005DC5E8 <UString> 'Windows NT 3.5'
005DC614 <UString> 'Windows NT 4'
005DC63C <UString> 'Windows 2000'
005DC664 <UString> 'Windows XP'
005DC688 <UString> 'Windows NT'
005DC6AC <UString> 'Windows Server 2003'
005DC6E0 <UString> 'Windows Vista'
005DC708 <UString> 'Windows Server 2008'
005DC73C <UString> 'Windows Server 2008 or Windows Vista SP1'
005DC79C <UString> 'Windows 7'
005DC7BC <UString> 'Windows Server 2008 R2'
005DC7F8 <UString> 'Windows 7 or Windows Server 2008 R2'

 

Notice that parameters are passed via EDX/EAX registers in a call. This is because Delphi uses the FASTCALL calling convention, where the parameters are passed to the function from right to left, from EDX to EAX – if there are more parameters, they’ll be passed through the stack.

Next, it uses some Windows APIs to get the title of the currently focused window. Then, it tries to find a substring, “Google Chrome”, in that title, later it tries to find “Internet Explorer”, “Firefox”,  “Chrome” and so on.

When the web-browser is detected and it is on focus, the malware starts to find out if the victim is browsing a specific banking website, searching for a specific string: Santander in the title.


Figure 13:
Browser and banking portal detection process.

 

When it detects the user is interacting with the banking portal, an error message is presented informing about a problem related to communication with the legitimate portal.

Figure 14: Error message presented when the victim is accessing the specific banking portal.

 

At this point, the trojan interacts with the victim. It has been controlled by crooks and receives commands from the C2 server:

  • Specific windows are created and presented;
  • User and password details are requested;
  • Banking codes are also requested, and so on.

 

Figure 15: Overlay windows created during the malware execution.

 

Below some details used to create other overlay windows:

.text:005DEBEC 0000000A pascal CommonAPP      
.text:005DEC01 0000000D pascal UsuarioAtual   
.text:005DEC19 00000010 pascal IniciaisCelular
.text:005DEC34 0000000A pascal BankAtual      
.text:005DEC49 0000000B pascal TipoAcesso     
.text:005DEC5F 0000000C pascal ReferenciaD    
.text:005DEC76 00000008 pascal NomeVit        
.text:005DEC89 0000000C pascal CodigoFirma    
.text:005DECA0 0000000F pascal NavegadorAtual 
.text:005DECBA 0000000D pascal PosicaoFirma   
.text:005DECD2 0000000B pascal RecebeBank     
.text:005DECE8 0000000A pascal RecebeSMS      
.text:005DECFD 00000006 pascal Cord1          
.text:005DED0E 00000006 pascal Cord2          
.text:005DED1F 00000006 pascal Cord3          
.text:005DED30 00000006 pascal Cord4

 

During this process, the collected details are grouped into a string and sent to the C2 server via “TCustomWinSocket_SendText” call. Also, a function called “TCustomWinSocket_ReceiveText” is used to get the instructions from the C2.

Figure 16: Banking details sent to the C2 server and received commands via a specific call.

 

In detail, it’s possible to observe several call references to the “ReceiveText” function during the malware execution. As previously mentioned, this particular function is responsible for receiving commands from the C2 server. A snippet of code illustrating a call executed by malware where a specific command (Cord2) is received from crooks can be observed.

Figure 17: Specific commands (Cord 2) received from the C2 server.

 

The malware have several strings encoded as shown below. The strings can be obtained via several approaches. In this case, the following strings were decoded in runtime as identified in the next image.

Figure 18: Decoded strings and decoded function high-level diagram.

 

Finally, the next Figure presents the first Delphi form; hidden during the malware execution. This form have several timers (right-side). They are responsible for starting several functions such as anti-VM and anti-debug calls that stop the malware execution.

On the other hand, a specific timer executes a call to get commands from C2 within an interval initially defined by malware operators.

Figure 19: Main Form where timers execute several calls during the malware runtime.

 

 

Final Thoughts

Malware is nowadays one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list presents some tips on how you can prevent a malware infection. It is not a complete list, just a few steps to protect yourself and your devices.

  • Get outdated software of your system
  • Get email savvy; take several minutes looking at the new email and not a few seconds
  • Beware of fake tech support, emails related do bank transactions, invoices, COVID19, everything you think be strange
  • Keep Internet activity relevant
  • Log out at the end of the day
  • Only access secured  and trusted sites (not only websites with green lock – please think you are doing, as many phishing campaigns are abusing of free CA to create valid HTTPS certificates and to distribute malicious campaigns over it)
  • Keep your operating system up to date
  • Make sure you are using an antivírus
  • Beware of malvertising

 

Take-home message
Be proactive and start taking malware protection seriously!

 

 

References

https://www.hybrid-analysis.com/sample/bba8629b3d40ea278c091f6e1a15609194b57e80111c4648986d6e2f8b52f69d?environmentId=100