Our Phishing Defense Center recently detected a significant increase in the number of emails with malware designed exclusively to target users in Brazil.
As attackers grow in sophistication and skill, we continue to observe that they are planning their attacks to be smaller in scope to maximize success and avoid detection. In this article we are going to review one such attack.
First, a little more background. Some time ago, cybercriminals used rudimentary techniques in attacks against users of online banking in LATAM countries. The use of RATs was common and we did not often find the advanced web injects that were observed in the banking malware that affected other regions. This has changed over time. Banking malware affecting LATAM entities has become more complex, and it is common to find targeted attacks against users in a particular country.
The attack begins by honing-in on local targets.
It all starts with the arrival of an email with subject ‘CURRICULO 1931520530 Data: 05/10/2017’ or similar variations where numbers after “CURRICULO” change from one message to the next. The body of the email is pretty consistent, as illustrated below.
Figure 1: Body of email targeting users in Brazil
There are two links for us to consider:
- The first points to the photograph.
hxxps://goo.gl/mrwnAv, which points to hxxp://i.imgur.com/hX0h47N.png?512587136
This link has been clicked on 96K times, according to google analytics.
- The second at the end of the message with the text “vizualisar_curriculo_pfd” (to visualize curriculum). hxxps://goo.gl/56Jsjs. This shortened URL points to hxxp://jcmaterialhall.com.br/campdown.php?1562242221
Interestingly, this second link presents only 36 clicks.
The second link contains a PHP that determines if the source IP address in the request is from Brazil. If it is from a Brazilian IP address, then a download occurs.
Upon determining that the user is coming from an IP in Brazil, a file named “curic” followed by a random number and ZIP extension is downloaded to the victim’s computer.
File: Curric1227461.zip
MD5: E383BBF30F87E27EAF990906C6AEAFBA
SHA1: 0C5A33335C15D89F1B97881230CEFE66D0964C76
SHA256: 49956D4F0A5882CE99250F6D05241B2BDB1A7A8A5C6C0D2FBD0E8C6B5EEC35DB
If the user yields to his curiosity and unzips this file, inside he will find a VBS SCRIPT as shown below:
Curric1227461.vbs
MD5: 749FDF03AF445CF15F1F4159B8C07BB1
SHA1: 5F4C195966EC92B4007BD71F7A6256A8244EAEE6
SHA256: AD055028BFCD008D8AE447FF192EDFF88D2708A61E20462B50FF1A174E9D8CB2
A first look at this VBS file reveals the following instruction:
Figure 2: Malware checks to infect only Brazilian systems
When the VBS “SetLocale” function is called with no arguments, it resets the script locale back to the host default, which is usually the user default. Then it returns the value of the previous locale ID, and compares it with 1046, which is the locale ID for pt-br (Portuguese – Brazil). This is so the next step in the attack would only run on those systems that are using Portuguese – Brazil language.
The attacker covers his traces.
Next, the attacker runs code on the victim. The instructions below are obfuscated. The author builds the code he wants to execute step by step on a variable, on which he makes several substitutions, to hide its contents.
Figure 3: First stage obfuscated VBS code
Finally, the author uses the “execute” function to execute the final code, contained in the variable “variavel”, which is the Portuguese name for variable.
Figure 4: The malware runs the code that downloads the next component
Since this is a VBS script, and we are dealing with clear text, we can edit it without problems using an editor. To read the obfuscated code, we will modify the last steps of the script.
First, we create a “Scripting.FileSystemObject” object and through it a file on the desktop. We finally replace the “execute” function with a “write” to our just created file object. This way the code in clear will be written in our file instead of running.
Figure 5: This small fragment of code allows us to see the 1st stage script in clear text
After these modifications we execute the malicious script again. A file will be created that contains the de-obfuscated code. We then note that it is a script intended to download and execute the next malicious component.
Figure 6: The 1st stage script in clear
Notice the “SetLocale” function call used again to check for locale ID 1046, corresponding to Brazil. Also, the URL to download the next component can now be read in clear text.
hxxp://selectyourdb.com/xlog7.php
The domain was registered on the 2nd of October 2017, only a few days before it was being used for malicious purposes.
The above malicious script creates a POST request that includes the parameter “c = 55”. When this parameter is not included in the request (a different value is used or just by doing a GET request), it results in a redirection to an image file (divulgação69.jpg) as shown below instead of the next malicious component.
Figure 7: divulgação69.jpg image retrieved from GET request
The picture is stored under the following location:
hxxp://esportes.r7.com/blogs/cosme-rimoli/files/2010/09/divulga%C3%A7%C3%A3o69.jpg
We can simulate this POST request without using any extra tool, just by typing the following code into a “.HTML” file:
Figure 8: A small HTML code allows us to emulate the POST request and download the 2nd stage component
After opening this HTML code in our browser and pressing ENTER we will receive the next piece of code:
Figure 9: We downloaded the 2nd stage component, another encoded script
This code does not have a filename. The previous malicious script reads it directly from the server on the “xxx5” variable and executes it through the “execute” VBS function. However, these are the other IOCs that may be useful:
MD5: FC8033079FB9E56344E8BC77DB7437F0
SHA1: 4F141297FD9F443FFE2943EA8939739759A9499F
SHA256: 41135E5E918A4F00C2A2D441C5F02977923091216949E627E12E19B15A74C421
Now we are facing the second component. A VBS script that hides its true intention under a layer of obfuscation. On this occasion, the final content is hidden, encoded in BASE64.
Figure 10: We note that this component is base64 encoded
Underneath it all lurks a malicious Chrome extension.
After decoding the BASE64 part, we find the code in charge of the download and installation of the final component: a malicious extension for Google Chrome.
We note that this is a much more complex code. Again, we find specific code intended solely for Brazil users:
Figure 11: Checks to ensure that it is a Brazilian system, also present in this 2nd stage component
We see how the value of “System.CountryCode” is compared under various conditions with 55. Country code values are based on international phone dialling prefixes, 55 being for Brazil.
Among other functions, this code can identify and enumerate certain system components and sends this information to the command & control panel.
Figure 12: The malware sends information about the infected system to the command & control server
In an effort to enhance success and go undetected, the information obtained on the system is used, among other ways, to identify certain malware analysis environments and tools. The command and control panel will not allow us to download the Chrome extension if any of these tools are detected.
To circumvent this mechanism, we have captured the requests sent to the command and control server to remove information about these analysis tools.
Figure 13: In this way the command & control server knows the software installed on the infected system. From that information decides whether to allow us to download the next component.
The command and control server then redirects us to the final URL from which we can download the malicious CHROME extension:
hxxp://storage.googleapis.com/reversiva/top062b.zip
Within this file ZIP we find the different components of the extension:
myinside.dll
MD5: BBFD321CC6A0FD1A272564B925AEDC2F
SHA1: 9AEEECAD823F4AF1D9177F069672D942402FE431
SHA256: 98DAA1F017C16C5C36FF7C90E0F9C3F6E6E4F9E530F23818AC101438F4F9E235
1.js
MD5: 3A2A32ADC16D81F730238C0FDD4D50D3
SHA1: 2A7BADBEF544DCB184AC179C3D62421DBEF4ECC4
SHA256: B35AC3693DE51BD644DE1266E2781F9493A60C7D557AA2C75E56985CA4B90A29
2.js
MD5: F26638ACEC572AB922A226E9CFE9ECD2
SHA1: D1CA99B420FD728AD883A60E3FAAFA4FFA360283
SHA256: 2AE96DBB1E3D4B1B091B078F798CAF0D199815B4DE3765D4A26A047839437480
3.js
MD5: 1332E9F8CD9DB357A18333B8AE9BE163
SHA1: 149E840A66F394E3DC72ECC669F1225177E31219
SHA256: CC51ADD9A34CE1B9AC73F71D084D9121E4B64C767A2D231965CAFF05A048A152
6.js
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
eventPage.js
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
manifest.json
MD5: 1DF55CAE76617EB183D354032C7F255C
SHA1: 8C7366F632A3C6158DA599B79540083499497438
SHA256: 5E7538898188F0FEAAC5834371E6A5CF3A4C315ECD0417E6975534E6BCE0D6B1
The goal of this malicious extension is to capture the information that the browser sends to websites and react to certain keywords. The malicious code is executed as part of the browser operation, being an extension. This means that it will have access to any information that passes through it, including HTTPS traffic, bank details, passwords, etc.
Conclusion: In this case we find a malware that incorporates different checks in each of its modules to ensure that only users in Brazil are infected. This targeting allows cybercriminals to fine-tune their attack, while avoiding early detection by public malware analysis services and sandboxes.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
