Another wave of Brazilian malspam leads to banking trojan

In October of 2017 we blogged about a phishing campaign specifically targeting Brazilian Portuguese- speaking users.

Back then, the campaign distributed a malicious Chrome browser extension. More recently, we have observed a wave of emails that have remarkably similar characteristics. This time around, the malware of choice is a banking trojan.

In the image below, we see an email suggesting that it delivers a resume from a job-seeker. This message content may seem familiar as it has same characteristics we saw in the emails distributing the malicious Chrome extension. Each message contains a photograph of a woman with an identical text in both campaigns.

Image 1: Mail message received by users

The message presents two links abusing the goo.gl URL shortening service. One points to the photograph that is shown in the message and the other enables the download of the malware. An analysis of the downloads made through these links, using the tools provided by the URL shortener service provider, reveals the impact by country.

 

Image 2: Saturation of visits to shortened phishing URL by country

Different shortened links were used in each wave of messages sent by these phishers. These URL shorteners usually point to a redirector, which in turn leads to the link that serves the first phase of the malware.

Sample redirector:

hxxps://julietemuoura[.]com[.]br/XgwK6iK.php?669651322

First malware stage:

hxxps://cld[.]pt/dl/download/588c9523-cf45-44b1-8dd6-55fe247af7c9/CURRICx002017.zip?download=true

This link provides victims with a ZIP archive. Inside, is the malware responsible for downloading the next stage.

Filename: CURRICx002017.zip

MD5: 17893B7BDE7C12BE81957DFA0179CAE7

SHA256: 1B2D13A8A6D8F9FB46892A1497A3408A57BC0BB575DFDE2866B3B203EAFA9129

Size: 17,200 bytes

Filename: CURRICx002017.exe

MD5: CCA79892602584CAD97EF588052BC8AF

SHA256: 09EC7EF8A22CA694186A2CEF068B75EECED4FB82A217B01A0773CD809878FC10

Size: 38,912 bytes

Upon execution, this malware pretends to be an instance of the Adobe Reader application. Meanwhile, in the background, the malware downloads its next component.

Image 3: Window shown by the first stage executable

The next component is a VBS script, downloaded through an HTTP request to the following  URL:

hxxp://joguesix[.]com[.]br/fgtegerg2/load1.php

Image 4: Second stage encoded VBS script

Once deobfuscated, this script demonstrates the ability to perform a number of system inspection operations. These checks are performed to determine whether the machine is considered suitable to the attacker.

Image 5: Code used to detect the presence of virtualization

The script is designed to detect the language of the system. It also checks whether the machine is virtualized. These checks are performed as a means of evading analysis as well as to ensure the attack impacts computers that suit their preferences and needs. The malware will only continue with its execution if no virtualization has been found and the language is Portuguese (Brazil).

Image 6: Code used to detect the system language settings

The final result is the download of a last stage component from the following URL:

hxxp://joguesix[.]com[.]br/fgtegerg2/shta.klu

This component is a ZIP archive of names with a “.klu” extension:

Filename: shta.klu

MD5: 5525ED000EFE72910D3DC7F7FAEA1912

SHA256: 603CB8DE20803CC7E97643FAB4B50A709F9E9FC21F822EF2D1D7F5ABD8B751CA

Size: 232,875 bytes

Which contains the following file:

Filename: sht

MD5: 634F7F1262D71DAAE5890CC36AFF6952

SHA256: EE169075E79A5BFB9BA2BA13217484516E910652FDDD07768382EFE17615C724

Size: 275,456 bytes

This is a 32BIT DLL file written in DELPHI. Its initialization code is not present in the DllEntryPoint procedure. Instead, the DLL exports a function with the name SHTE443G11, which the previous component calls to continue with the infection process. Upon execution, it makes various requests to its control panel:

hxxp://joguesix[.]com[.]br/fgtegerg2/shta1.klu

hxxp://joguesix[.]com[.]br/fgtegerg2/shta9.klu

It is noteworthy that manual access to these links show us a “suspended account” page. In spite of this, the malicious components are present and downloaded without problems. This indicates that the “suspended account” message may be an intended decoy to mislead researchers.

Image 7: Manually accessing the control panel

The process concludes with the installation in the system of this latest component, creating the following structure on the user’s PUBLIC folder.

Image 8: Structure of malware files installed on the system

The threat actors have developed a complex system consisting of multiple stages for downloading their malware. The campaign is addressed only to users based in Brazil, not only for the content of the message but also the different checks that their authors have placed in the different phases.

This campaign’s coincidences, like ones we have revealed in the past, underscore that cyber criminals employ different malware families in their different campaigns.

Sign up for free threat alerts from PhishMe Intelligence™ and PhishMe® Research.

PhishMe Attains SOC 2 Type I Compliance Across PhishMe Simulator and hosted PhishMe Triage Product Offerings
PhishMe Honored with Five Wins at the 2018 Cybersecurity Excellence Awards

Leave a Reply