Vulture Stealer: What Banload Misses, Chrome Extension Receives

PhishMe Intelligence™ has uncovered a phishing campaign that delivers a new loader/browser plugin combination that we have dubbed Vulture Stealer. Vulture Stealer is a two-stage data stealer that includes a version of Banload banking trojan malware. However, paired with an extensive secondary stealer it can target and gather information beyond Banload’s reach within Google Chrome—effectively gathering any information entered within the compromised Chrome browser.  This campaign, which uses Portuguese-language phishing messages, may be targeting Brazilian banks and their customers. This is the first time PhishMe® has observed Banload coupled with a malicious browser extension.

The phishing email, intending to appear as a budgetary or invoice document, includes a malicious HTML document that then retrieves and downloads the loader component of Vulture Stealer. At runtime, this application appears to be an Adobe Acrobat PDF installer.

Figure 1 – The loader executable launches a fake PDF reader installation prompt

When a victim accepts the installation of the faux PDF reader, a .zip archive named with a .dat extension is downloaded and from which two executables are extracted and executed. The first executable deploys Banload, which is a ubiquitous malware known for targeting sign-in information for customers of Brazilian financial institutions but can steal other general information. The second executable includes a set of Google Chrome extension files that are placed in the appropriate directory.

A .lnk shortcut file is then dropped to the desktop and, once clicked, launches a Google Chrome browser with the malicious extension loaded and prepared to steal all data entered therein.

The .lnk activated Google Chrome Stealer is signed with a revoked certificate, meaning either the certificate was stolen and used to sign the file or it was registered to an entity controlled by the Threat Actor and later revoked by the certification authority.

Figure 2 – Suspicious signature information associated with malware

When loading the extensions, the malware disables security features that might inhibit the successful deployment of the Chrome stealer. The .lnk file launches Chrome with arguments set to  disable extensions file access check, which sets the browser to always allow extensions that inject script into file URLs, and to always authorize plugins, which prevents Chrome from requiring authorization to run certain plugins.

Figure 3 – Harmful browser extensions can give attackers access to a wealth of private information

Upon installation, the malicious Chrome plugin listens for and forwards all HTTP POST and PUT requests made in the browser to a port on the local machine—at localhost, port number 5555— where a separate executable sits and listens on that port, then relaying that information to an external command and control host.

This is uncommon behavior. Most stealers transmit data directly to an external resource and do not deploy a separate executable to listen on a localhost port. The directing of information to localhost:5555 from the Google Chrome browser is documented in the figure below. This anomaly suggests the Vulture Stealer creator may lack sophistication; though alternatively, this may have been done to complicate the process for exfiltrating private information in a way that could increase the likelihood of evading detection.

Excerpts from the plugin’s code demonstrate how data sent during a sign-in transaction with a location redacted as the content of variable name 0x8987x3 is stored as byte data and then sent via WebSocket to a listening port 5555 on the local machine.

Figure 4 – Code excerpts demonstrate how a plugin can use a local listener to exfiltrate data

This Vulture Stealer provides an example of a unique interplay between otherwise simplistic components to create an elaborate and creative data exfiltration scheme. Malware authors constantly seek new and innovative ways to evade technical controls and successfully steal private information. Furthermore, often these techniques rely not on high-profile and closely-held exploitation, but instead on more simplistic avenues. When combined with the tried-and-true delivery scheme provided by phishing email, attackers can construct elaborate, effective, reliable, yet simple means for gaining access to protected environments.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

Phishing email subject:
Orçamento do pedido 197783 –  08/11/2017 16:22:11

Malware attachment:

Orcamento_A12B34F1.html

MD5: 6b076500653d88dafba58cff62e34c6e

SHA256: 96f9b59b280a36d60653a57e1a7dfbc040918267580ee3abdb22ae39f9fe689a

Loader binary:

1100025.6148700.3779136.1100011.exe

MD5: 70e23681785d1cb623b3ae4bc031e54c

SHA256: edee6798e6e3f8e4e182d090d296d1885b7a85096eea50f2c452bcef6774677e

Vulture Stealer binary:

MD080134.exe

MD5: 6768063757ee3d478edc348e3c7cc98f

SHA256: 85927f7f14703c8f230e83c1449be9b5ec86965a3c61551f31583617a00f04c0

Vulture Stealer browser plugin JavaScript:

wdngtj.js

MD5: 276b46cddebbcf7c3c2aa4c614fd2e18

SHA256: 03616f4bdae2f50967712848b56321e44c90fdb414bb983d99a497fde5679378

Vulture Stealer exfiltration resource:

200[.]98.138[.]101

For more technical details, PhishMe Intelligence customers can reference our reporting in Threat ID 10297.

 

Mollie Holleman and Darrel Rendell contributed to this report.

Black Friday Spam Alert: How to Shop Safe Online this November
Be Careful Who You Trust: Impersonation Emails Deliver Geodo Malware

Leave a Reply