Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware.

In the last few years, many banking trojans developed by Latin American criminals have increased in volume and sophistication. Although exists a strong adoption of technologies with the goal of protecting the final user such as plugins, tokens, e-tokens, two-factor-authentication mechanisms, CHIP, PIN cards, and so on, online fraud is still on the rise and every day implementing new tactics, techniques, and procedures (TTP) to evade antivirus and Endpoint Detection & Response systems.

In this article, we will into the details of the Javali trojan banker, introduced and tracked by the Kaspersky Team, and targeting Latin American countries, including Brazil and Mexico banking and financial organizations.

 

Background of Latin American Trojans

Javali trojan is active since November 2017 and targets users of financial and banking organizations geolocated in Brazil and Mexico. By analyzing this piece of malware, we found that Javali is using the same routines and calls often observed on other Latin American trojans, such as Grandoreiro, URSA aka Mispadu, Lampion, VadokristAmavaldo, Casbaneiro aka Metamorpho and Mekotio.

Figure 1: The most popular and dangerous Latin American trojans.

 

In short, part of these trojan families are using padding to enlarge the binary; empty sections or even BPM images attached as a resource as described in this article related to the Grandoreiro trojan. Other trojans use this technique as it allows to evade detection and execute the malicious code on the target machines bypassing detection based on static file signatures.

Latin American trojans share the same modus operandi and even modules and blocks of code observed during the analysis of several malware samples.  The following schema is an effort to present in a single high-level diagram the workflow of the most popular Latin American trojans.

Figure 2: High-level diagram of the modus operandi of the most popular Latin American banking trojans.

 

The malicious activity starts with a phishing email sent to the target victims in Latin American – Brazil, Mexico, Chile, and Peru – and Europe – Spain and Portugal. The initial stage of these trojans is generally the execution of a dropper in a form of a VBS, JScript, or MSI file that downloads from the Cloud (AWS, Google, etc.) the trojan loader/injector. After this step, the trojan itself – developed in Delphi – is executed into the memory manly using the DLL side loading technique or DLL injection, creating persistence using a .lnk file on the Windows Startup folder, or adding a new key in the machine registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) with the name and path of the .lnk file to guarantee the malware is executed every time the infected machine starts.

The steps 7 and 8 from Figure 2, the malware obtains some details from the infected machine and report them to the C2 server, including the version of the Operating System (OS), architecture, the name of the installed antivirus and EDRs, computer name, and the victim’s geolocation.

From here, the malware executes a new thread when specific and hardcoded web-browsers are opened. The title of the accessed web-pages are collected and compared with the target organizations and services hardcoded and defined by crooks, generally the name of the banking portals, cryptocurrency portals, and financial firms. If these conditions match, the windows overlay process starts launching fake windows to lure victims.

More details and comparisons between several threads and used TTPs can be found below and by accessing the publication from ESET.

Figure 3: MITRE ATT&CK table illustrating the features that Latin American banking trojans share (full table and more details here).

 

As observed during the last few years, several threats share a lot of TTP and code, and that is a clear signal of cooperation between malicious groups.

 

Discovering Javali trojan banker

These days, the Javali trojan banker is one of the most popular trojan banker families in the wild. According to the Kaspersky publication:

Javali targets Portuguese- and Spanish-speaking countries, active since November 2017 and primarily focusing on the customers of financial institutions located in Brazil and Mexico

 

Since the details online about this threat are scarce, after a tweet of the malware hunter @JAMESWT_MHT on Twitter, we decided to go through the details of this specific trojan.

 

As observed in another Latin American banking trojans from Figure 3, part of the most popular trojans are disseminated using the most dangerous vehicle of threat’s proliferation: email protocol. As this protocol relies on a strong and complex “mesh” around him to catch the fish, the end-user is every time the final decision maker: open or not open the fresh email. Next, an email template used by Javali to lure victims is presented.

Figure 4: Email template used by Javali banking trojan.

 

The Javalis’ modus operandi is based on the workflow previously explained in Figure 2 and related to other threats such as Vadokrist, Lampion, URSA, Amavaldo, and Casbaneiro. After opening the URL distributed on the email body, a ZIP file is then downloaded from the Internet. For this, Cloud services are often used by crooks including Google, S3 Buckets from AWS, and MediaFire file sharing service. The next diagram demonstrates how Javali trojan banker works.

Figure 5: High-level diagram of Javali trojan banker.

 

As mentioned, in general, this trojan was developed using the same architecture of other Latin American trojans, and the main steps of the infection chain are described below and analyzed in-depth during the next sections of this article.

In short, the phishing email is received by victims. By opening an URL it downloads from the Internet (Cloud services) a ZIP file with an MSI executable inside (1, 2). The MSI file contains a JavaScript payload hardcoded, then executed via wscript.exe (3) that will create persistence on the infected machine (4) and also download the final files from an AWS S3 bucket (5).

The Avira.exe file, a legitimate PE file from the Avira Antivirus firm, is then used as an injector to take advantage of a technique dubbed DLL side-loading and loading into the memory a huge DLL “Avira.OE.NativeCore.dll” (6) as a child of a legitimate Parent Process ID (PPID).

When executed, the Javali trojan starts its operation and immediately gets the malware configuration from doc files available on Google Cloud (7).

Next, the trojan collects information from web-browsers (8) searching for target tabs opened related to hardcoded banking/financing portals and starts the malicious overlay activity presenting fake windows to victims (9, 10, 11, 12, and 13).

 

MSI file – The Javali Dropper


Filename: FT.FATURA.EKFUHLWS+LUVPBC0DGZUWISOAPDK.msi
MD5: 70aa68c29622df360dea76daa4255835
Creation time: 2/5/2021 7:10:49 AM


The MSI file has hardcoded a JavaScript payload inside as observed in Figure 6. This stage will be executed and download next step.

Figure 6: JScript file hardcoded inside the MSI file and then executed via wscript.exe on the target machine.

 

After some rounds of deobfuscation, we found some interesting strings and the blocks of code responsible for creating persistence on the machine and also downloading a ZIP file from an AWS S3 bucket dropped into the User’s public folder: C:\Users\Public\Documents\random_name.

Figure 7: JScript file partially deobfuscated.

 

Although some parts of the code still obfuscated, we can understand the basic operation of this piece of malware by debugging it on a debugger. This is a trick valid for other Jscript files executed via wscript.exe. By debugging it and adding a breakpoint on the “ws2_32.GetAddrInfoW” call, we can observe the moment the malware downloads the next stage from the Internet (AWS S3 bucket).

Figure 8: Getting the AWS S3 bucket address by debugging the JScript payload.

 

The downloaded ZIP file is stored into the “C:\Users\Public\Documents” directory, inside a random folder created during the dropper execution. After that, the following files are extracted, namely:

  • Avira.exe: Legitimate injector from Avira Antivirus.
  • Avira.OE.NativeCore.dll: malicious DLL used during the DLL side-loading process.
  • msvcp120.dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY.
  • msvcr120.dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C RUNTIME LIBRARY.
  • rundll32.dll: Copy of the Avira.exe injector used to start the trojan when the Jscript terminates its execution.

Avira.exe
8CBB75FEBFB4B0B7C3B6D3613386220C

Avira.OE.NativeCore.dll
83c49ccc03e4abfad28e278ce98b4537

msvcp120.dll
FD5CABBE52272BD76007B68186EBAF00

msvcr120.dll
034CCADC1C073E4216E9466B720F9849

rundll32.exe
8CBB75FEBFB4B0B7C3B6D3613386220C

Figure 9: Javali trojan and all the files used during the infection chain.

 

Persistence is achieved by creating a .lnk file in the Windows startup folder and also a registry key pointing to this .lnk file.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

created: CREATED
device: DISK_FILE_SYSTEM
name: C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAAMKHQWFW.lnk
object: FILE
operation: CREATE
status: 0x00000000
time: 10453 ms

Figure 10: Javali trojan persistence technique (Windows startup folder + registry CurrentVersion\Run).

 

 

Javali injector – Weaponizing Avira legitimate executable


Filename: Avira.exe / rundll32.exe
MD5: 8CBB75FEBFB4B0B7C3B6D3613386220C
Creation time: 1/25/2021 4:38:25 AM


Javali trojan takes advantage of a legitimate executable from Avira Antivirus firm to inject into the memory a malicious DLL that impersonates the legitimate DLL: Avira.OE.NativeCore.dllThis technique is known as DLL side-loading aka DLL hijacking by abusing of vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded (T1574).

As observed below, the injector is a legitimate file and with a valid digital signature from Avira Operations GmbH & Co. KG.

Figure 11: Javali uses as injector a legitimate executable from Avira antivirus.

 

DLL side-loading is used as the favored execution method by Latin American threat groups and 22 different binaries have been abused to load into the memory malicious code. In a publication from ESET, some products were described, including binaries from Microsoft, Oracle, several security companies, NVIDIA, VMWare, Avira, and others used as injectors in Amavaldo, Casbaneiro, Mekotio, Vadokrist, and Javali trojans.

ProductFilenameDLL name
Microsoft Corporation CTF Loaderctfmon.exeMsCtfMonitor.dll; AppGetLoader.dll; CryptUI.dll
Microsoft Corporation OLE/COM Object ViewerOLEView.exeIViewers.dll
Microsoft ECM Certificate ManagerCertMgr.exeCryptUI.dll
Microsoft Office Picture ManagerOis.exeMSOCF.dll
Java(TM) Platform SE 8 (cmd-line launcher)jjs.exejli.dll
Java(TM) Platform SE 8 (Remote Method Invocation)java-rmi.exejli.dll
Java(TM) Platform SE 8 (Kerberos)kinit.exejli.dll
AviraAvira.SysTrayStartTrigger.exeAvira.OE.NativeCode.dll
Avast Dump ProcessavDump32.exeDbghelp.dll
AVG Dump ProcessavDump32.exeDbghelp.dll
G DATA Personal FirewallGDFwAdmin.exeGDFwAdmin.dll
G DATA Security SoftwareAVK.exeAvk.dll
COMODO Internet SecurityCisTray.exeCmdres.dll
NVIDIA 3D Vision Test ApplicationNvsttest.exeD3d8.dll
NVIDIA Smart Maximise Helper HostNvSmartMaxApp.exeNvSmartMax.dll
VirtualBox Guest Additions Tray ApplicationVBoxTray.exeMpr.dll
VMware NAT ServiceVmnat.exeShfolder.dll
WinGup for Notepad++Gup.exeLibcurl.dll
Disc Soft Bus Service Pro (DAEMON Tools Pro)DiscSoftBusService.exeImgengine.dl
Bartels Media GmbH Macro RecorderMacroRecorder.exeMrkey.dll
Stonesoft VPN Client ServiceSgvpn.exeWtsapi32.dll
OOO Lightshot Starter ModuleLightshot.exeLightshot.dll

 

Also, BitDefender published an article in reference to this vulnerability used by Casbaneiro aka Metamorfo trojan to execute the malware as a child of a trusted process. In fact, legitimate applications are digitally signed with an Authenticode (code-signing) certificate. This is the proof and seen as a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges.

In this way, if the User Account Control (UAC) prompts the victim that the antivirus engine wants to make changes on the system, well, users probably will not question it. On the other hand, many antivirus and Endpoint Detection & Response systems can be avoided using this vulnerability, as the injector is legitimate, code-signed, authentic, and comes from a well-known security firm – Avira.

Figure 12: Legitimate injector from Avira – digitally signed, authentic, and trusted during the injection process allowing to bypass security engines such as AV and EDR.

 

Avira injector – Digging into the details 

There is a lot of methods to take advantage of DLL side-loading vulnerability by examining the DLL imports. Figure 13 shows the Avira.exe DLL Import Table Address (IAT) which includes the functions:

  • MakeTrayIconVisible
  • Avira::OE::NativeCore::OeProductInfo::GetLanguage(void)const

Figure 13: Calls loaded from a legitimate external DLL (Avira.OE.NativeCore.dll).

 

Validating the external DLLs and calls must involve more than checking for the correct filename and calls names. In this way, every time a DLL is loaded from the side-by-side directory and adjacent to the primary PE file needs to be validated for these functions. Usually, executables using the side-by-side feature will have these resources located in the embedded manifest file.

In detail, the name passed to LoadLibrary() / LoadLibraryEx() call not need specify a specific path. If a path is passed, then the library is only loaded from the specific path. Otherwise, the following Windows default DLL search order is used:

  1. The current process image file directory – the application directory.
  2. The system directory (e.g. system32 folder).
  3. The 16-bit system directory.
  4. The windows directory.
  5. The current working directory.
  6. The directories listed in the PATH environment variable.

 

After analyzing the legitimate injector, we can see that the CreateFile() and ReadFile() functions are used to load into the memory the external DLL from the current process image file directory.

Figure 14: Avira.exe injector vulnerable to DLL side-loading attack abused by Javali trojan.

 

In sum, we recommend the following strategy should be kept in mind to ensure secure loading of libraries:

  • Use proper DLL search order.
  • Make use of code signing infrastructure or AppLocker.
  • Ensure that the full path is hardcoded avoiding relative paths for any resources.
  • Confirm that the imported DLL actually exists.
  • Ensure that all the imported functions are valid and not empty.
  •  Utilize DLL redirection or a manifest.
  • Code-signing – Microsoft Authenticode technology.

 

Final stage – Javali trojan banker


Filename: Avira.OE.NativeCore.dll
MD5: 83c49ccc03e4abfad28e278ce98b4537
Creation time: 2/2/2021 3:47:39 AM


Code-signing (Microsoft Authenticode technology) can be used to sign the DLL, which is to attach digital signatures to the DLL to guarantee its authenticity and integrity.

By comparing the legitimate and malicious DLL, we can see that the malicious one is not signed in contrast to the legitimate one (Figure 15). Also, the External Address Table (EAT) is maintained including the two required calls that are invoked, otherwise, the injector could crash during its execution (Figure 16). Below, we can see that the “spoofed” DLL is not digitally signed, and even the size of the file is bigger than the original from Avira.

Figure 15: Malicious (spoofed) DLL without digital signature and the file was enlarged to bypass detection. Otherwise,  the original DDL from the Avira firm is digitally signed.

 

As observed in Figure 16, the exported calls on the right-side (malicious DLL) don’t have a name – the sections’ names are empty – and the OEP is pointing to the .data section. At the first glance, this is a clear signal that something is wrong, even looking at the EAT, we can find many strange and empty sections to enlarge the DLL size.

Also, the original file name and compilation date are different between the legitimate (left-side) and the malicious DLL (right-side). Although the ordinals are different, the base calls of the legitimate DLL were maintained, and only the main calls were overwritten with the malicious code.

---overwritten functions---
MakeTrayIconVisible
Avira::OE::NativeCore::OeProductInfo::GetLanguage(void)const

Figure 16: Principal differences between the Legitimate DLL from Avira versus the malicious DLL.

 

The Javali DLL is packed and enlarged with junk – a well-known technique used by Latin American trojans such as Grandoreiro and Lampion in order to evade detection.

When executed in memory, the malware is unpacked by blocks using the virtualization code of the Enigma protector.

The unique technology which allows combining the files used by your application into a single module without loss of efficiency. This function supports all kinds of files, including dll, ocx, mp3, avi, etc. Virtual Box will protect your files and prevent them from being copied and used in third-party products.

 

After bypassing this initial restriction, we can see below (right-side) the Javali trojan DLL partially unpacked.

Figure 17: Javali trojan – Enigma packed DLL vs partially unpacked DLL.

 

The malicious DLL has a size of 570 MB in disk because it was compiled with empty sessions. When it is executed into the memory, unpacked and the empty sessions are cleaned, the library is a binary of 30 MB.

Figure 18: Unpacked DLL – 30 MB versus packed DLL – 570 MB.

 

Once the binary is unpacked, at this time it’s possible to obtain the images that are used during the windows overlay process. As observed below, this time the resources are unpacked and can be analyzed.

Figure 19: Packed resources vs unpacked resources.

 

At this point, internal capabilities and implemented TTP can be analyzed by reversing the Delphi code as well.

Figure 20: Javali trojan – Delphi forms.

 

 

Javali configuration obtained from Google Docs

Javali trojan communicates with Google Docs files to obtain its configuration, including the address of the C2 server. If it is not able to connect to the address, it uses a hardcoded one. Javali checks for connectivity by sending a web request to the ipinfo.io service.

6EEE36B7,"mov eax,avira.oe.nativecore.6EF188B4","&L""Windows 7 Ultimate"""
6EEE36CB,"mov eax,avira.oe.nativecore.6EF0E4C0","&L""BAUdGYGlgX3wUY4XrGGt9z6CrGnnlmpgCaEIjtxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOWSW6IPkjwCg7WWUH1mCyA3Dhh8A0123456789"""
6EEE36DF,"mov eax,avira.oe.nativecore.6EF188BC","&L""TUBA-01"""
6EEE3757,"mov eax,avira.oe.nativecore.6EF18900","&L""1724526122"""
6EEE376B,"mov eax,avira.oe.nativecore.6EF1891C","&L""Windows 7"""
6EEE3789,"mov eax,avira.oe.nativecore.6EF18930","&L""http://ipinfo.io/json"""
6EEE3793,"mov eax,avira.oe.nativecore.6EF18934","&L""xx.46.179.xx"""
6EEE37CF,"mov eax,avira.oe.nativecore.6EF1894C","&L""hxxps://docs.google.]com/document/d/15dKy9iPdfKKUyI5JEn6lyhxramzevtn0siixKmnfNB0/edit"""
6EEE37D9,"mov eax,avira.oe.nativecore.6EF18950","&L""hxxps://docs.google.]com/document/d/16OdxMD6j6d2gnAmzmCb23M_gNb6_ESKELXSBdVFP2V0/edit"""
6EEE37E3,"mov eax,avira.oe.nativecore.6EF18954","&L""hxxps://claricepss.webcindario.]com/pgl/index.php"""
6EEE380B,"mov eax,avira.oe.nativecore.6EF18970","&L""191.232.170.12"""
6EEE3815,"mov eax,avira.oe.nativecore.6EF18974","&L""25325"""

Figure 20: Javali process of getting config from Google Docs and communication with C2 server.

 

The list of Google docs hardcoded inside the Javali file is presented below:

hxxps://docs.google].com/document/d/15dKy9iPdfKKUyI5JEn6lyhxramzevtn0siixKmnfNB0/edit
hxxps://docs.google].com/document/d/15i3BIlOzTNOF3cIgA-o8YYa-u24q-DdcalWi5JMyxeU/edit
hxxps://docs.google].com/document/d/18dBH_hLqlszwezEZkeFfACFo-nhCHHoCwc6qyxdoA2Y/edit
hxxps://docs.google].com/document/d/18qfnad3gLJeUsZxZo-iRkYShxp72q5Ct4sUvCXxl0Ng/edit
hxxps://docs.google].com/document/d/1E3RFnE4dlzD_wL96hMzNBlZZ8vNS-mM_Q48lDUFzwFA/edit
hxxps://docs.google].com/document/d/1IM9fNp--iWLQPUVKjHBZUOwfi9Yv_BuUSojQTCidU3U/edit
hxxps://docs.google].com/document/d/1MezQvI_dk_5R4zn_i5dhfSd86KULlFPCsNIUPEu-ZR8/edit
hxxps://docs.google].com/document/d/1OetWS-gLaMbPBcxDQaVbNcYXb7hL4BsR8X_ouI-hz1g/edit
hxxps://docs.google].com/document/d/1T-hcyJWouUdAIZ19DZ_guh723zgpL2H2c4kpcBL0Tqg/edit
hxxps://docs.google].com/document/d/1UwICJoIrrey05PhmMpKVB2g3tMf9PYk4A-UeFHEOIsw/edit
hxxps://docs.google].com/document/d/1W2GHf0vyCLNhVIDxF126mvbKFS9VC2RqU4n-5EXMZLA/edit
hxxps://docs.google].com/document/d/1YTBuav90AWfG24KrZ25h41GnVXIzh3cSapf0sF5n8QI/edit
hxxps://docs.google].com/document/d/1bGyEiUhvY1HvEkbIS7pNPWCODIRrfTyvK2TJLwEFgrw/edit
hxxps://docs.google].com/document/d/1fUCxFdZGv3BUIMtba8tItJAJA3SY4ZR8UHPW0loT80Y/edit
hxxps://docs.google].com/document/d/1iN1UvBtln4jXxMgNpGqGl3NF_YN1lhE_Ei11E2odFdo/edit
hxxps://docs.google].com/document/d/1jR8nCxVdi4vnNUlLCpKz3LbpPK9RMzW3_hWGNgpe2nY/edit
hxxps://docs.google].com/document/d/1o-b6lH-aadYKV1jr7imBgUiXgIFNwrkI-9aHlVAa4JQ/edit
hxxps://docs.google].com/document/d/1ogLFEFF4G0PHJM2LBjd3dKFB4tAGiaTiUb2BA0ouuac/edit
hxxps://docs.google].com/document/d/1pCA24HnsioJ0HqApuc9Zf5hGcgJjxskpImUAmarbtfU/edit
hxxps://docs.google].com/document/d/1phEs-b8IHsTy84f670zIzyQFgRKsqQGOofFAcH3CdkI/edit
hxxps://docs.google].com/document/d/1qcT11IVn26rKBJAA4gPpUcHFwIP4i4wGF2QBgIVquwM/edit
hxxps://docs.google].com/document/d/1tRSWPhiV-KIYTOJaR-Dd1MLvYRsPmBsU5Hzxu8tg4-E/edit
hxxps://docs.google].com/document/d/1wG-npl-Rx1WT00cYpjvrE_V_PzzxuavKLkpvYReLjvw/edit

Figure 21: Javali configuration obtained from Google Docs.

 

The strings of the Google Docs files are encrypted and the algorithm used to encrypt strings comes from the “Mestres da Espionagem Digital” book also used in another Latin American banking trojan such as Casbaneiro.

Criminals also used a public library called DCPCrypt – a library responsible for encrypting buffers with various algorithms. As observed in Figure 22, each of these algorithm classes have string identifiers beginning with DCP string such as DCPPcrypt2, DCPsha512, DCP_blockcipher128, etc. This library is used to facilitate the encryption communication between the compromised machine and the C2 server via HTTPS protocol.

Figure 23: Classe names of cryptographic algorithms used by Javali trojan.

 

On the other side, the host information retrieved from Google Docs is obfuscated for obvious reasons. Javali also adopts another third-party library named IndyProject for communication with the C2.

Indy is an open-source client/server communications library that supports TCP/UDP/RAW sockets, as well as over 100 higher level protocols including SMTP, POP3, IMAP, NNTP, HTTP, FTP, and many more. Indy is written in Delphi but is also available for C++Builder and FreePascal.

Figure 24: IndyProject third-party library used by Javali.

 

From the analysis of Javali’s sample, information about C2 where extracted. By comparing the first URL “claricepss.webcindario.]com” with other subdomains from “webcindario.]com” which translates to IP 5.57.226.]202, we can found that the domain has been used for a long time by Brazilian criminals in campaigns this line.

6EEE37E3,"mov eax,avira.oe.nativecore.6EF18954","&L""hxxps://claricepss.webcindario.]com/pgl/index.php"""
6EEE380B,"mov eax,avira.oe.nativecore.6EF18970","&L""191.232.170.]12""" 
6EEE3815,"mov eax,avira.oe.nativecore.6EF18974","&L""25325"""
51.103.136.]92/nave/index.php

 

For example, other directories were found upon the subdomain “claricepss” as observed below with malicious landing pages related to banking organizations available and used to capture the victims’ credentials.

[13:38:54] 301 -    6KB - /bb  ->  https://claricepss.webcindario.]com/bb/
[13:39:05] 301 -    6KB - /cadastro  ->  https://claricepss.webcindario.]com/cadastro/
[13:39:18] 301 -    6KB - /chrome  ->  https://claricepss.webcindario.]com/chrome/
[13:39:20] 301 -    6KB - /black  ->  https://claricepss.webcindario.]com/black/
[13:39:21] 301 -    6KB - /imap  ->  https://claricepss.webcindario.]com/imap/
[13:39:23] 301 -    6KB - /casa  ->  https://claricepss.webcindario.]com/casa/
[13:39:30] 301 -    6KB - /pgl  ->  https://claricepss.webcindario.]com/pgl/
[13:39:57] 301 -    6KB - /deco  ->  https://claricepss.webcindario.]com/deco/
[13:40:52] 301 -    6KB - /xy  ->  https://claricepss.webcindario.]com/xy/

Figure 25: Banking landing-page used to collect credentials and lure victims during the infection process.

 

Next, we can observe the output from the C2 server of Javali trojan banker, with the last infected victims and their geolocation, and also extracted passwords from online services hardcoded inside the malware such as:

  • kinghost.]com].br
  • uolhost.]com.]br
  • terra.]com.]br

Figure 26: C2 dashboard with last infections and victims’ credentials.

 

In detail, these fake pages are shown during the infection chain in order to collect credentials. Criminals control all the workflow and victims’ navigation in the background and in real-time as detailed in this article related to a huge phishing campaign this nature – Anubis Phishing Network.

 

Window overlay process

When victims access a specific banking or financial portal, the malware triggers a new thread to launch the overlay windows. If the accessed portal matches the hardcoded banking organizations, Javali sends to the C2 a simple request with information about the infected machine separated by markers such as “|” and “<“.

Full list of hardcoded banking and financial organizations:

x2ddad8c (16): CrediSiS
0x2ddadb4 (16): Viacredi
0x2ddaddc (16): CIDETRAN
0x2ddae04 (16): Daycoval
0x2ddae2c (22): BRB Banknet
0x2ddae54 (20): Banco Alfa
0x2ddae7c (16): NBC BANK
0x2ddaea4 (22): Pine Online
0x2ddaecc (22): Banco Safra
0x2ddaef4 (16): Banestes
0x2ddaf1c (22): Banco Inter
0x2ddaf44 (18): Banco BNB
0x2ddaf6c (18): Mercantil
0x2ddaf94 (18): Santander
0x2ddafbc (16): Banco It
0x2ddafe4 (18): Bradesco 
0x2ddb00c (22): [bb.com.br]
0x2ddb034 (16): R4pp0rt 
0x2ddb05c (16): core.exe
0x2ddb084 (22): SunAwtFrame
0x2ddb0ac (16): Cursor_1
0x2ddb0d4 (20): DWMAPI.dll
0x2ddb0fc (18): Banco Ita
0x2ddb124 (16): BL-0.ini
0x2ddb14c (22): default_set
0x2ddb174 (22): \ConfXTheme
0x2ddb19c (18): Microsoft
0x2ddb1c4 (16): KingHost
0x2ddb1ec (16): Locamail
0x2ddb214 (20): Terra Mail
0x2ddb23c (20): E-mail UOL
Aplicativo Itaú
itauaplicativo.exe
Banco Itaú
Aplicativo sicoob
sicoob
AplicativoBradesco.exe
NavegadorExclusivoBradesco.exe
Aplicativo bradesco
Banco Bradesco
Banco do Brasil
Banco Bradesco | Pessoa Física, Exclusive, Prime e Private
Bradesco 
Pessoa jurídica | Bradesco
Bradesco JuJu
Banco Itáu
Santander
Banco Santander
Sicredi
Banco Sicredi
Mercantil
Banco Mercantil
internetbanking
Caixa Economica
Banco Sicoob
Unicred Portal
Banco Unicred
Internet Banking BNB
Banco BNB
Banco Inter
Banco Intermedium
Banco MUFG Brasil S.A.
Banestes - Internet Banking
Banestes
Internet Banking
Banpará
Cetelem | Login
Cooperativa de Crédito
Nova Home | Internet
Banco Safra
BANCO PAULISTA
UNICRED
UniprimeCentral
Bem vindo ao seu BMG
Portal - Banco Votorantim
Pine Online
NBC BANK
Tribanco Online
Banco Alfa
Banco Indusval & Partners
Portal Internet Banrisul
Banco Original
Acesse sua conta Celcoin
Login - Nubank
BRB Banknet
Banco de Brasília
Banco da Amazônia
Banese
BancoTopazioInternetBanking
BancoIndustrial
Banco Industrial
Daycoval
CIDETRAN
Viacredi
Mercado Pago
CrediSiS

 

As described, Javali is monitoring the accessed web-pages on the victim side. When a match is achieved, the communication with the C2 servers starts. The C2 server is geolocated in Brazil, and a new port is generated dynamically each execution between a well-defined range. Socket communication is established using the IndyProject library.

Figure 27: Communication with the C2 server during the windows overlay process.

 

As mentioned several times during this analysis, code sharing has been seen in different Latin American trojans. This kind of socket communication can be also observed during the Lampion trojan activity.

More, hardcoded C2 endpoints inside the Javali can be related to Grandoreiro activity as described in this article.

Javali C2 endpoints hardcoded

Grandoreiro C2 endpoints (right-side)

Figure 28: Grandoreiro C2 endpoints found hardcoded in the Javali sample.

 

As with many other banking trojans, Javali supports several backdoor commands. The capabilities of these commands include:

  • Obtaining screenshots with the help of the Windows Magnifying API, imported from Magnification.dll.
  • Logging keystrokes
  • Downloading and executing further payloads
  • Restricting access to various banking websites
  • Mouse and keyboard simulation
  • Blocking the access to several Windows applications during the malware execution (such as Task Manager)
  • Self-updating
  • Stealing credentials from several email services, and banking/financial portals.

 

Final Thoughts

Javali is a potent piece of malware, whose primary capability is theft of banking information and other personal information from the user machine and sends it to the C2 server. This trojan abuses a legitimate injector from Avira Firm to create a child process and loads into the memory a protected DLL with the trojan operations. With this technique in place, bypassing some AV and EDR is possible and the trojan-activity can be masqueraded for a long time.

From Javali’s analysis, we can conclude that Latin American operators are sharing code between different trojans such as Lampion, URSA, Grandoreiro, Casbaneiro, and so on.

Finally, the trojan is a dangerous weapon, with the capabilities to self-update itself, capture keystrokes and mouse movements, take screenshots, block access the several Windows-based applications and banking and financial portals, and starting the windows overlay process when a legitimate portal is accessed.

Screenshots of the windows launched by Javali, Mitre Att&ck Matrix, and other IOCs are presented below.

 

Windows overlay extracted from Javali trojan

 

Mitre Att&ck Matrix

TacticIDNameDescription
Initial AccessT1192Spearphishing LinkJavali campaigns start with a spear-phishing email.
T1193Spearphishing AttachmentJava campaigns start with a malicious email attachment (.zip file).
ExecutionT1073DLL Side-LoadingJavali campaigns are using a legitimate executable from Avira Firm to inject into the memory a malicious DLL.
PersistenceT1060Registry Run Keys / Startup FolderJavali gets persistence via Run key.
Defense EvasionT1140Deobfuscate/Decode Files or InformationJavali uses encrypted remote configuration from Google Docs and its commands are also encrypted.
T1036MasqueradingJavali masquerades itself with a legitimate application (Avira antivirus).
T1064ScriptingPowerShell and JavaScript are used in Javali distribution chain.
Credential AccessT1056Input CaptureJavali contains a command to execute a keylogger. It also steals contents from fake windows overlay.
DiscoveryT1083File and Directory DiscoveryJavali searches for various filesystem paths in order to determine what applications are installed on the victim’s machine.
T1057Process DiscoveryJavali searches for various process names in order to determine what applications are running on the victim’s machine.
T1063Security Software DiscoveryJavali scans the system for installed security software.
T1082System Information DiscoveryJavali extracts the version of the operating system.
CollectionT1113Screen CaptureJavali contains a command to take screenshots via Windows API.
Command and ControlT1024Custom Cryptographic ProtocolJavali uses cryptographic protocols to communicate with C2 server.
ExfiltrationT1041Exfiltration Over Command and Control ChannelJavali sends the data it collects to its C&C server.

 

Indicators of Compromise (IOCs)

--samples--
FT.FATURA.EKFUHLWS+LUVPBC0DGZUWISOAPDK.msi
MD5: 70aa68c29622df360dea76daa4255835

Avira.exe
MD5: 8CBB75FEBFB4B0B7C3B6D3613386220C

Avira.OE.NativeCore.dll
MD5: 83c49ccc03e4abfad28e278ce98b4537

msvcp120.dll
MD5: FD5CABBE52272BD76007B68186EBAF00

msvcr120.dll
MD5: 034CCADC1C073E4216E9466B720F9849

rundll32.exe
MD5: 8CBB75FEBFB4B0B7C3B6D3613386220C

--AWS S3 bucket--
hxxps://hipermercado.s3-sa-east-1.amazonaws.]com/bretas.]png

--C2 server--
191.232.170.]12
191.232.170.]12:35730
191.232.170.]1
191.232.177.]237

--banking overlay fake pages--
51.103.136.]92/nave/index.php
https://claricepss.]webcindario.]com/pgl/index.php

hxxps://claricepss.webcindario.]com/bb/ 
hxxps://claricepss.webcindario.]com/cadastro/ 
hxxps://claricepss.webcindario.]com/chrome/ 
hxxps://claricepss.webcindario.]com/black/ 
hxxps://claricepss.webcindario.]com/imap/ 
hxxps://claricepss.webcindario.]com/casa/ 
hxxps://claricepss.webcindario.]com/pgl/ 
hxxps://claricepss.webcindario.]com/deco/ 
hxxps://claricepss.webcindario.]com/xy/

--Google Docs files w/ config--
hxxps://docs.google].com/document/d/15dKy9iPdfKKUyI5JEn6lyhxramzevtn0siixKmnfNB0/edit hxxps://docs.google].com/document/d/15i3BIlOzTNOF3cIgA-o8YYa-u24q-DdcalWi5JMyxeU/edit hxxps://docs.google].com/document/d/18dBH_hLqlszwezEZkeFfACFo-nhCHHoCwc6qyxdoA2Y/edit hxxps://docs.google].com/document/d/18qfnad3gLJeUsZxZo-iRkYShxp72q5Ct4sUvCXxl0Ng/edit hxxps://docs.google].com/document/d/1E3RFnE4dlzD_wL96hMzNBlZZ8vNS-mM_Q48lDUFzwFA/edit hxxps://docs.google].com/document/d/1IM9fNp--iWLQPUVKjHBZUOwfi9Yv_BuUSojQTCidU3U/edit hxxps://docs.google].com/document/d/1MezQvI_dk_5R4zn_i5dhfSd86KULlFPCsNIUPEu-ZR8/edit hxxps://docs.google].com/document/d/1OetWS-gLaMbPBcxDQaVbNcYXb7hL4BsR8X_ouI-hz1g/edit hxxps://docs.google].com/document/d/1T-hcyJWouUdAIZ19DZ_guh723zgpL2H2c4kpcBL0Tqg/edit hxxps://docs.google].com/document/d/1UwICJoIrrey05PhmMpKVB2g3tMf9PYk4A-UeFHEOIsw/edit hxxps://docs.google].com/document/d/1W2GHf0vyCLNhVIDxF126mvbKFS9VC2RqU4n-5EXMZLA/edit hxxps://docs.google].com/document/d/1YTBuav90AWfG24KrZ25h41GnVXIzh3cSapf0sF5n8QI/edit hxxps://docs.google].com/document/d/1bGyEiUhvY1HvEkbIS7pNPWCODIRrfTyvK2TJLwEFgrw/edit hxxps://docs.google].com/document/d/1fUCxFdZGv3BUIMtba8tItJAJA3SY4ZR8UHPW0loT80Y/edit hxxps://docs.google].com/document/d/1iN1UvBtln4jXxMgNpGqGl3NF_YN1lhE_Ei11E2odFdo/edit hxxps://docs.google].com/document/d/1jR8nCxVdi4vnNUlLCpKz3LbpPK9RMzW3_hWGNgpe2nY/edit hxxps://docs.google].com/document/d/1o-b6lH-aadYKV1jr7imBgUiXgIFNwrkI-9aHlVAa4JQ/edit hxxps://docs.google].com/document/d/1ogLFEFF4G0PHJM2LBjd3dKFB4tAGiaTiUb2BA0ouuac/edit hxxps://docs.google].com/document/d/1pCA24HnsioJ0HqApuc9Zf5hGcgJjxskpImUAmarbtfU/edit hxxps://docs.google].com/document/d/1phEs-b8IHsTy84f670zIzyQFgRKsqQGOofFAcH3CdkI/edit hxxps://docs.google].com/document/d/1qcT11IVn26rKBJAA4gPpUcHFwIP4i4wGF2QBgIVquwM/edit hxxps://docs.google].com/document/d/1tRSWPhiV-KIYTOJaR-Dd1MLvYRsPmBsU5Hzxu8tg4-E/edit hxxps://docs.google].com/document/d/1wG-npl-Rx1WT00cYpjvrE_V_PzzxuavKLkpvYReLjvw/edit

 

Online Sandbox URLs

FATURA.EKFUHLWS+LUVPBC0DGZUWISOAPDK.msi:
https://www.virustotal.com/gui/file/3c02cff7aa1784336ec96fce16cac267c812ce98ab6a7497c8b7f8c44c54a1e9/detection

Avira.exe:
https://www.virustotal.com/gui/file/f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a/detection

Avira.OE.NativeCore.dll:
https://www.virustotal.com/gui/file/bdfa6dbba717b8faf4e0a049e90c6451b1980695f12b59d3d8d2ee6ef22e4da6/details

 

Yara rule

import "pe"
rule Javali_february_2021 {
meta:
    description = "Yara rule for Javali trojan - February version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2021-02-16"
    tlp = "white"
    category = "informational"
    condition:
        filesize > 1000KB
        and pe.characteristics & pe.DLL
        and pe.exports("IsAviraSignedFile") and pe.exports("MakeTrayIconVisible")
}

Yara rule can be found on GitHub.