Banking trojan campaign uses commercial packers to target Brazilian users

Be wary of suspicious emails.

Banking trojan campaign uses commercial packers to target Brazilian users

A banking trojan campaign is using commercial packing platforms to evade analysis and thereby successfully infect unsuspecting users.

Attacks begin when a user receives a spam email. The emails are written in Portuguese to improve the chances that a Brazilian user will open the message, click the HTML attachment named BOLETO_2248_.html, accept two redirects leading to a .rar file, open the archive, and double click a JAR file. These steps initiate installation of the banking trojan.

Image2

Malicious spam email sample. (Source: Cisco Talos)

Double clicking the JAR file loads up malicious code that, in turn, retrieves binaries for the banking trojan. The first binary it executes is called "vm.png." It's a legitimate binary signed by VMware that comes with vmwarebase.dll, a malicious dependency.

Warren Mercer, Paul Rascagneres, and Vanja Svajcer of Cisco Talos explain the attackers crafted that binary execution chain deliberately:

"This technique has been used previously by other actors such as PlugX. The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks."

At that point, the vmwarebase.dll code injects and executes prs.png code in explorer.exe. Doing so loads up the banking trojan's main module, which comes with an autostart registry key and the ability to inspect the user's window in the foreground for titles of well known financial institutions based in Brazil. The main module also executes a binary gps.png with undll32.exe, the library for which is packed using Themida.

Image1

rundll32.exe. (Source: Cisco Talos)

Mercer, Rascagneres and Svajcer are concerned by this development:

"Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis."

Acknowledging the ongoing threat posed by and evolution of banking trojans, users should follow security best practices to protect themselves against common digital threats. Those recommendations include exercising caution around suspicious links and email attachments, not downloading files from unfamiliar web resources, and installing an anti-virus solution on their machines.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

One Response

  1. Mark Jacobs

    October 2, 2017 at 4:15 pm #

    "Doing so loads up the banking trojan's main module, which comes with an autostart registry key …"

    That would be spotted by a product like MJ Registry Watcher fairly immediately!

Leave a Reply