In Brazil, an increase in the activity of malicious scripts
A year ago, ESET experts recorded the highest activity of two types of malware in Brazil - banking Trojans and their downloaders (daunloaders). Loaders are executable files of compact size that specialize in downloading the main executable file of a banker trojan to a compromised system. Today, the situation remains the same, but with some changes, in particular, malicious Java .jar files, as well as Visual Basic Script and JavaScript scripts have been added to the list of Brazil’s most active threats.
Thus, it is clear that malicious script files have become very popular with intruders in the region. In this post we will look at several malicious scripts, as well as the mechanisms of their work. Such scripts are also used by attackers as downloads, but they provide attackers with a more flexible distribution scheme, as they can be easily integrated into web pages.
')
If you look at the statistics on the distribution of malware in Brazil in the first five months of 2016, we will see among them malicious obfuscated scripts with a general (generic) type of detection. Despite the fact that the payload they load may vary, we will see that there is a connection between detections of this type and banker trojans. Note that other malicious programs from the table of the most common threats to Brazil are written in a variety of programming languages.
Specialists from our anti-virus laboratory in Latin America have observed the use of the legitimate MEO cloud service to host malware files. In most cases, they were banking Trojans. Phishing emails were chosen as the propagation vector, which contained a link to download the malware.
As an example for consideration, let's take a malicious script called Boleto_NFe_1405201421.PDF.js, which is detected by ESET anti-virus products as VBS / Obfuscated.G .
Despite the fact that the script code is obfuscated, the method used for this is quite simple. Even without decrypting, we can see that the file disguised as an image is loaded at the specified URL into the ProgramData directory called flashplayer.exe, and then executed.
In turn, the flashplayer.exe file is a banking trojan downloader that loads and launches a third file called Edge.exe. This third file is detected by our AV products as Win32 / Spy.KeyLogger.NDW ; despite the name of this detection, in addition to fixing keystrokes, it also contains the functions of a banking trojan. Among its many features, it also gets the addresses of websites visited by the user and checks them with its list of online banking websites using the Dynamic Data Exchange (DDE) mechanism . We have previously recorded the use of a similar method by Trojans in previous campaigns. The difference between this case and the previous ones is that this time the trojan is aimed at compromising various web browsers.
The lines in the file are encrypted using an algorithm based on a simple XOR operation. Some of these lines are shown below. From them it is clear that the Trojan specializes in the theft of credentials of Brazilian online banking sites.
The threat statistics above show that attackers in Brazil began to switch to new platforms and programming languages in an attempt to avoid detection of their malicious code by antivirus products. However, the attacker's goals did not become different and the theft of online banking information is still the most profitable form of attack and, therefore, the most common.
Legitimate cloud storage services were also used by attackers to place malware on JavaScript, which is among the top ten most active threats in Brazil. In particular, we discovered there are a lot of malicious files that are detected by ESET AV products as Java / TrojanDownloader.Banload.AK .
These files are of type .jar with names like Boleto_Cobranca, Pedido_Atualizacao, or Imprimir_Debitos. After decompiling the code, we get it in obfuscated form with very long names of variables and methods.
Despite the obfuscation, we can see several names of imported functions in the file. The last five imported classes are related to encryption operations, as they use the symmetric DES algorithm. Thus, if we can identify the decryption methods used there, and also replace the names of the methods and variables with more understandable ones, we will get the following code as in the figure below.
The key used to decrypt strings is the name of a Java class. Therefore, if we adapt for ourselves the code of the main method of the malicious program, we will be able to decipher the lines in its body. We can parse the main class to search for these strings and then pass them on to our modified code to perform the decryption process. Below are the decrypted lines and their encrypted counterparts.
In the screenshot above, we highlighted the IP address of the server where the malware is associated with it. Please note that the address of the remote C & C server varies in different samples of the malware that we analyzed. Next, a file is created on Visual Basic Script, which is executed by the cscript.exe interpreter.
It is worth noting that the malware files we analyzed contained more features that could be identified by the names of the imported classes. One of the most interesting features of a malware is the ability to detect a virtualized environment. If such an environment is detected, the execution of the malicious code stops. Some other imported functions specialize in downloading files from the Internet, which can also be seen in the rest of the imports.
As we noted above, despite the fact that attackers use different programming languages, their goals have not been changed. The two loaders we analyzed were placed on a Portuguese data storage service. However, we discovered another bootloader that was placed on another cloud service. This last bootloader was written in Visual Basic Script.
All these threats use the same method of distribution - fraudulent emails that disguise as legitimate emails sent by banks. After receiving at our disposal this .vbs file, we see that it is subjected to obfuscation.
The main function of the script is presented in hexadecimal format and is encrypted using the XOR operation. We restored the original look of this Visual Basic Script code. He specializes in downloading the archive, which is supplied with a password. This archive is unpacked by another downloadable script application called 7za.exe. This application is not malicious, but is simply used to extract the executable file from the downloaded .zip archive. After extracting the executable file, it is launched for execution.
The comment in Portuguese “link do seu do modulo” in the source code snippet can be translated as “link to your module”. This comment leads us to believe that the script was created using a special script generator or that the code was copied from another source.
A file extracted and executed by a malicious script is detected by ESET AV products as Win32 / Packed.Autoit.R . Thus, we can see a variety of programming languages that are used by attackers. This Autoit script loads the banker trojan code into memory. The Trojan itself starts up in suspend mode and its image is replaced in memory with a malicious program, after which the execution of the code continues (this technique is known as RunPE).
The executable file implemented in the process memory is detected by ESET AV products as Win32 / Spy.Banker.ACSJ and is a banking Trojan written in Delphi (this is what we usually see in Brazil). In its body, there are also encrypted strings, for which a proprietary decryption algorithm is used, as in the case of the previously specified Trojan, which is installed by the JavaScript loader.
We will not discuss the details of the implementation of this banking Trojan, however, we point out that it does not use the above DDE method, as does the Trojan, which is installed by the JavaScript daunloader. Instead, it imports functions from the oleaut32.dll library, which allows automatic execution of malicious tasks when it detects a victim visiting certain banking websites using the Internet Explorer web browser. When a victim views one of these websites, the banking trojan downloads a fake form with images that are very similar to legitimate websites used on the web pages in order to obtain online banking account credentials.
We were able to associate the above threats, developed in several programming languages or platforms, with the same campaign. One can only wonder how many different methods and resources cybercriminals use to spread their threats in Brazil. Despite the fact that the last stage of these attacks is the installation of a banking trojan written in Delphi, we also see an update of the code of this trojan. This update allows cybercriminals to quickly overcome new security features of Brazilian banks.
Compromise Indicators (IoC)
SHA-1: 8ceaae91d20c9d1aa1fbd579fcfda6ecfdef8070
File name: Boleto_NFe_1405201421.PDF.js
Discovery name: VBS / Obfuscated.G
SHA-1: 016bd00717c69f85f003cbffb4ebc240189893ad
File name: flashplayer.exe
Detection name: Win32 / TrojanDownloader.Banload.XGT
SHA-1: c4c4f2a12ed69b95520e5d824854d12c8c4f80ab
File name: Edge.exe
Discovery name: Win32 / Spy.KeyLogger.NDW
SHA-1: 2c8385fbe7c4a57345bf72205a7c963f9f781900
File name: Imprimir_Debitos9874414541555.jar
Discovery name: Java / TrojanDownloader.Banload.AK
SHA-1: 363f04edd57087f9916bdbf502a2e8f1874f292c
File name: Atualizacao_de_Boleto_Vencido_10155455096293504.jar
Discovery name: Java / TrojanDownloader.Banload.AK
SHA-1: 8b50c2b5bb4fad5a0049610efc980296af43ddcd
File name: LU 1.jar
Discovery name: Java / TrojanDownloader.Banload.AK
SHA-1: d588a69a231aeb695bbc8ebc4285ca0490963685
File name: Comprovante Deposito-Acordo N7656576l (3) (4) (4) .vbs
Discovery name: VBS / TrojanDownloader.Agent.OGG
SHA-1: dde2af50498d30844f151b76cb6e39fc936534a7
File name: 7b0gct262q.exe
Discovery name: Win32 / Packed.Autoit.R
SHA-1: 256ad491d9d011c7d51105da77bf57e55c47f977
Discovery name: Win32 / Spy.Banker.ACSJ
Thus, it is clear that malicious script files have become very popular with intruders in the region. In this post we will look at several malicious scripts, as well as the mechanisms of their work. Such scripts are also used by attackers as downloads, but they provide attackers with a more flexible distribution scheme, as they can be easily integrated into web pages.
')
If you look at the statistics on the distribution of malware in Brazil in the first five months of 2016, we will see among them malicious obfuscated scripts with a general (generic) type of detection. Despite the fact that the payload they load may vary, we will see that there is a connection between detections of this type and banker trojans. Note that other malicious programs from the table of the most common threats to Brazil are written in a variety of programming languages.
Specialists from our anti-virus laboratory in Latin America have observed the use of the legitimate MEO cloud service to host malware files. In most cases, they were banking Trojans. Phishing emails were chosen as the propagation vector, which contained a link to download the malware.
As an example for consideration, let's take a malicious script called Boleto_NFe_1405201421.PDF.js, which is detected by ESET anti-virus products as VBS / Obfuscated.G .
Despite the fact that the script code is obfuscated, the method used for this is quite simple. Even without decrypting, we can see that the file disguised as an image is loaded at the specified URL into the ProgramData directory called flashplayer.exe, and then executed.
In turn, the flashplayer.exe file is a banking trojan downloader that loads and launches a third file called Edge.exe. This third file is detected by our AV products as Win32 / Spy.KeyLogger.NDW ; despite the name of this detection, in addition to fixing keystrokes, it also contains the functions of a banking trojan. Among its many features, it also gets the addresses of websites visited by the user and checks them with its list of online banking websites using the Dynamic Data Exchange (DDE) mechanism . We have previously recorded the use of a similar method by Trojans in previous campaigns. The difference between this case and the previous ones is that this time the trojan is aimed at compromising various web browsers.
The lines in the file are encrypted using an algorithm based on a simple XOR operation. Some of these lines are shown below. From them it is clear that the Trojan specializes in the theft of credentials of Brazilian online banking sites.
The threat statistics above show that attackers in Brazil began to switch to new platforms and programming languages in an attempt to avoid detection of their malicious code by antivirus products. However, the attacker's goals did not become different and the theft of online banking information is still the most profitable form of attack and, therefore, the most common.
Legitimate cloud storage services were also used by attackers to place malware on JavaScript, which is among the top ten most active threats in Brazil. In particular, we discovered there are a lot of malicious files that are detected by ESET AV products as Java / TrojanDownloader.Banload.AK .
These files are of type .jar with names like Boleto_Cobranca, Pedido_Atualizacao, or Imprimir_Debitos. After decompiling the code, we get it in obfuscated form with very long names of variables and methods.
Despite the obfuscation, we can see several names of imported functions in the file. The last five imported classes are related to encryption operations, as they use the symmetric DES algorithm. Thus, if we can identify the decryption methods used there, and also replace the names of the methods and variables with more understandable ones, we will get the following code as in the figure below.
The key used to decrypt strings is the name of a Java class. Therefore, if we adapt for ourselves the code of the main method of the malicious program, we will be able to decipher the lines in its body. We can parse the main class to search for these strings and then pass them on to our modified code to perform the decryption process. Below are the decrypted lines and their encrypted counterparts.
In the screenshot above, we highlighted the IP address of the server where the malware is associated with it. Please note that the address of the remote C & C server varies in different samples of the malware that we analyzed. Next, a file is created on Visual Basic Script, which is executed by the cscript.exe interpreter.
It is worth noting that the malware files we analyzed contained more features that could be identified by the names of the imported classes. One of the most interesting features of a malware is the ability to detect a virtualized environment. If such an environment is detected, the execution of the malicious code stops. Some other imported functions specialize in downloading files from the Internet, which can also be seen in the rest of the imports.
As we noted above, despite the fact that attackers use different programming languages, their goals have not been changed. The two loaders we analyzed were placed on a Portuguese data storage service. However, we discovered another bootloader that was placed on another cloud service. This last bootloader was written in Visual Basic Script.
All these threats use the same method of distribution - fraudulent emails that disguise as legitimate emails sent by banks. After receiving at our disposal this .vbs file, we see that it is subjected to obfuscation.
The main function of the script is presented in hexadecimal format and is encrypted using the XOR operation. We restored the original look of this Visual Basic Script code. He specializes in downloading the archive, which is supplied with a password. This archive is unpacked by another downloadable script application called 7za.exe. This application is not malicious, but is simply used to extract the executable file from the downloaded .zip archive. After extracting the executable file, it is launched for execution.
The comment in Portuguese “link do seu do modulo” in the source code snippet can be translated as “link to your module”. This comment leads us to believe that the script was created using a special script generator or that the code was copied from another source.
A file extracted and executed by a malicious script is detected by ESET AV products as Win32 / Packed.Autoit.R . Thus, we can see a variety of programming languages that are used by attackers. This Autoit script loads the banker trojan code into memory. The Trojan itself starts up in suspend mode and its image is replaced in memory with a malicious program, after which the execution of the code continues (this technique is known as RunPE).
The executable file implemented in the process memory is detected by ESET AV products as Win32 / Spy.Banker.ACSJ and is a banking Trojan written in Delphi (this is what we usually see in Brazil). In its body, there are also encrypted strings, for which a proprietary decryption algorithm is used, as in the case of the previously specified Trojan, which is installed by the JavaScript loader.
We will not discuss the details of the implementation of this banking Trojan, however, we point out that it does not use the above DDE method, as does the Trojan, which is installed by the JavaScript daunloader. Instead, it imports functions from the oleaut32.dll library, which allows automatic execution of malicious tasks when it detects a victim visiting certain banking websites using the Internet Explorer web browser. When a victim views one of these websites, the banking trojan downloads a fake form with images that are very similar to legitimate websites used on the web pages in order to obtain online banking account credentials.
We were able to associate the above threats, developed in several programming languages or platforms, with the same campaign. One can only wonder how many different methods and resources cybercriminals use to spread their threats in Brazil. Despite the fact that the last stage of these attacks is the installation of a banking trojan written in Delphi, we also see an update of the code of this trojan. This update allows cybercriminals to quickly overcome new security features of Brazilian banks.
Compromise Indicators (IoC)
SHA-1: 8ceaae91d20c9d1aa1fbd579fcfda6ecfdef8070
File name: Boleto_NFe_1405201421.PDF.js
Discovery name: VBS / Obfuscated.G
SHA-1: 016bd00717c69f85f003cbffb4ebc240189893ad
File name: flashplayer.exe
Detection name: Win32 / TrojanDownloader.Banload.XGT
SHA-1: c4c4f2a12ed69b95520e5d824854d12c8c4f80ab
File name: Edge.exe
Discovery name: Win32 / Spy.KeyLogger.NDW
SHA-1: 2c8385fbe7c4a57345bf72205a7c963f9f781900
File name: Imprimir_Debitos9874414541555.jar
Discovery name: Java / TrojanDownloader.Banload.AK
SHA-1: 363f04edd57087f9916bdbf502a2e8f1874f292c
File name: Atualizacao_de_Boleto_Vencido_10155455096293504.jar
Discovery name: Java / TrojanDownloader.Banload.AK
SHA-1: 8b50c2b5bb4fad5a0049610efc980296af43ddcd
File name: LU 1.jar
Discovery name: Java / TrojanDownloader.Banload.AK
SHA-1: d588a69a231aeb695bbc8ebc4285ca0490963685
File name: Comprovante Deposito-Acordo N7656576l (3) (4) (4) .vbs
Discovery name: VBS / TrojanDownloader.Agent.OGG
SHA-1: dde2af50498d30844f151b76cb6e39fc936534a7
File name: 7b0gct262q.exe
Discovery name: Win32 / Packed.Autoit.R
SHA-1: 256ad491d9d011c7d51105da77bf57e55c47f977
Discovery name: Win32 / Spy.Banker.ACSJ
Source: https://habr.com/ru/post/306432/
All Articles