Our Phishing Defense Center recently detected a significant increase in the number of emails with malware designed exclusively to target users in Brazil.
As attackers grow in sophistication and skill, we continue to observe that they are planning their attacks to be smaller in scope to maximize success and avoid detection. In this article we are going to review one such attack.
First, a little more background. Some time ago, cybercriminals used rudimentary techniques in attacks against users of online banking in LATAM countries. The use of RATs was common and we did not often find the advanced web injects that were observed in the banking malware that affected other regions. This has changed over time. Banking malware affecting LATAM entities has become more complex, and it is common to find targeted attacks against users in a particular country.
The attack begins by honing-in on local targets.
It all starts with the arrival of an email with subject ‘CURRICULO 1931520530 Data: 05/10/2017’ or similar variations where numbers after “CURRICULO” change from one message to the next. The body of the email is pretty consistent, as illustrated below.
Figure 1: Body of email targeting users in Brazil
There are two links for us to consider:
- The first points to the photograph.
hxxps://goo.gl/mrwnAv, which points to hxxp://i.imgur.com/hX0h47N.png?512587136
This link has been clicked on 96K times, according to google analytics.
- The second at the end of the message with the text “vizualisar_curriculo_pfd” (to visualize curriculum). hxxps://goo.gl/56Jsjs. This shortened URL points to hxxp://jcmaterialhall.com.br/campdown.php?1562242221
Interestingly, this second link presents only 36 clicks.
The second link contains a PHP that determines if the source IP address in the request is from Brazil. If it is from a Brazilian IP address, then a download occurs.
Upon determining that the user is coming from an IP in Brazil, a file named “curic” followed by a random number and ZIP extension is downloaded to the victim’s computer.
If the user yields to his curiosity and unzips this file, inside he will find a VBS SCRIPT as shown below:
A first look at this VBS file reveals the following instruction:
Figure 2: Malware checks to infect only Brazilian systems
When the VBS “SetLocale” function is called with no arguments, it resets the script locale back to the host default, which is usually the user default. Then it returns the value of the previous locale ID, and compares it with 1046, which is the locale ID for pt-br (Portuguese – Brazil). This is so the next step in the attack would only run on those systems that are using Portuguese – Brazil language.
The attacker covers his traces.
Next, the attacker runs code on the victim. The instructions below are obfuscated. The author builds the code he wants to execute step by step on a variable, on which he makes several substitutions, to hide its contents.
Figure 3: First stage obfuscated VBS code
Finally, the author uses the “execute” function to execute the final code, contained in the variable “variavel”, which is the Portuguese name for variable.
Figure 4: The malware runs the code that downloads the next component
Since this is a VBS script, and we are dealing with clear text, we can edit it without problems using an editor. To read the obfuscated code, we will modify the last steps of the script.
First, we create a “Scripting.FileSystemObject” object and through it a file on the desktop. We finally replace the “execute” function with a “write” to our just created file object. This way the code in clear will be written in our file instead of running.
Figure 5: This small fragment of code allows us to see the 1st stage script in clear text
After these modifications we execute the malicious script again. A file will be created that contains the de-obfuscated code. We then note that it is a script intended to download and execute the next malicious component.
Figure 6: The 1st stage script in clear
Notice the “SetLocale” function call used again to check for locale ID 1046, corresponding to Brazil. Also, the URL to download the next component can now be read in clear text.
The domain was registered on the 2nd of October 2017, only a few days before it was being used for malicious purposes.
The above malicious script creates a POST request that includes the parameter “c = 55”. When this parameter is not included in the request (a different value is used or just by doing a GET request), it results in a redirection to an image file (divulgação69.jpg) as shown below instead of the next malicious component.
Figure 7: divulgação69.jpg image retrieved from GET request
The picture is stored under the following location:
We can simulate this POST request without using any extra tool, just by typing the following code into a “.HTML” file:
Figure 8: A small HTML code allows us to emulate the POST request and download the 2nd stage component
After opening this HTML code in our browser and pressing ENTER we will receive the next piece of code:
Figure 9: We downloaded the 2nd stage component, another encoded script
This code does not have a filename. The previous malicious script reads it directly from the server on the “xxx5” variable and executes it through the “execute” VBS function. However, these are the other IOCs that may be useful:
Now we are facing the second component. A VBS script that hides its true intention under a layer of obfuscation. On this occasion, the final content is hidden, encoded in BASE64.
Figure 10: We note that this component is base64 encoded
Underneath it all lurks a malicious Chrome extension.
After decoding the BASE64 part, we find the code in charge of the download and installation of the final component: a malicious extension for Google Chrome.
We note that this is a much more complex code. Again, we find specific code intended solely for Brazil users:
Figure 11: Checks to ensure that it is a Brazilian system, also present in this 2nd stage component
We see how the value of “System.CountryCode” is compared under various conditions with 55. Country code values are based on international phone dialling prefixes, 55 being for Brazil.
Among other functions, this code can identify and enumerate certain system components and sends this information to the command & control panel.
Figure 12: The malware sends information about the infected system to the command & control server
In an effort to enhance success and go undetected, the information obtained on the system is used, among other ways, to identify certain malware analysis environments and tools. The command and control panel will not allow us to download the Chrome extension if any of these tools are detected.
To circumvent this mechanism, we have captured the requests sent to the command and control server to remove information about these analysis tools.
Figure 13: In this way the command & control server knows the software installed on the infected system. From that information decides whether to allow us to download the next component.
The command and control server then redirects us to the final URL from which we can download the malicious CHROME extension:
Within this file ZIP we find the different components of the extension:
The goal of this malicious extension is to capture the information that the browser sends to websites and react to certain keywords. The malicious code is executed as part of the browser operation, being an extension. This means that it will have access to any information that passes through it, including HTTPS traffic, bank details, passwords, etc.
Conclusion: In this case we find a malware that incorporates different checks in each of its modules to ensure that only users in Brazil are infected. This targeting allows cybercriminals to fine-tune their attack, while avoiding early detection by public malware analysis services and sandboxes.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.