HackDig : Dig high-quality web security articles for hacker

Brazilian Malware Never Sleeps: Meet EmbusteBot

2017-04-17 01:45

IBM Research — Haifa Labs continually invests in the research and development of advanced malware analysis solutions that enhance IBM’s ability to quickly detect and neutralize malware as new and challenging threats arise. Our ongoing observations of the Brazilian cybercriminal landscape have revealed a perpetual rise in new malicious campaigns in this region of the world, especially those targeting online banking and payment platforms.

In one of our recent collaborations with IBM Security Trusteer researchers, we analyzed new financial malware that targets dozens of major Brazilian banks. Beyond its generic capabilities, this malware employs specific schemes for different banks and allows attackers to gain full control of a victim’s endpoint. We dubbed the malware EmbusteBot, after the Portuguese word “Embuste,” meaning a hoax or scam.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

Sample Overview

The Brazilian cybercriminal scene is known for its affinity for Delphi-based malcode, and the sample we analyzed is no exception. In this case, the malware’s authors employ a scheme where a benign executable is used to load a malicious dynamic link library (DLL) on the target endpoint to activate the payload.

The DLL’s size is rather hefty — 3.3 MB — and it comes with an OpenSSL library inside. The codes were statically compiled and linked together, likely used to encrypt network traffic. At the time of this writing, the malware was only detected by a small number of antivirus engines. We tested the sample and the malicious DLL on VirusTotal and observed low or generic detection in the wild (see Figure 1).

IBM Security Cybercrime Labs

Figure 1: Detection results for EmbusteBot executable and malicious DLL on VirusTotal

One notable characteristic of this sample is the lack of code packing or encryption of potentially sensitive code paths that correspond with the malware’s malicious activity. According to X-Force, the authors did not use many anti-research techniques to make analysis harder. This oversight could be due to a lack of required competence, or the authors may have tried to make the DLL appear more legitimate for antivirus scanners without added obfuscation. The malware still performs some encryption of sensitive strings in several important parts of the DLL and time-based anti-research checks.

EmbusteBot is designed to:

  • Find out which browser window runs on a victim’s machine.
  • Find a match for the window title in a list of targeted banks and bank applications.
  • Take over a victim’s endpoint, using fake overlays in some cases.
  • Launch fraudulent transactions from the victim’s account.

EmbusteBot’s Window-Monitoring Queue

EmbusteBot’s most likely delivery path lies in malware-laden email spam. The malware’s execution on target endpoints begins with dynamic loading of a malicious DLL to find out what browser the victim uses and what’s on the active tab.

After initialization, the malware generates a search queue where it scans for specific window class names that represent targeted web browsing applications, such as Google Chrome (see Figure 2).

EmbusteBot Brazilian Malware
Figure 2: The malware scans for window classes appearing in the foreground, looking for specific class names related to web browsers.

EmbusteBot checks for window classes of the top three most popular web browsers — Internet Explorer, Google Chrome and Mozilla Firefox — to determine whether any appear on the foreground of the victim’s screen.

The malware further checks for active Windows 10 Store Container windows (APPLICATIONFRAMEWINDOW class name) and active Java (SUNAWTFRAME class name). When one of the required windows is found running in the foreground, the malware moves to the next step.

Obtaining Window Title in Search of Active Bank Pages

The next step involves the GetWindowText WinAPI function used to obtain the text that appears as the window’s title on an open web browser the victim is using. The same routine (decrypt_string) is used to decrypt strings and compare them with the result of GetWindowText (see Figure 3), in search of online banking sites the victim may be using.

IBM Security X-Force Research

Figure 3: EmbusteBot checks the title of a foreground window to match the names of targeted Brazilian banks.

The overall flow of events here is as follows:

  1. Get the handle of a foreground window.
  2. Get the class name of a foreground window.
  3. Compare class name with decrypted strings:
    1. IEFRAME (Internet Explorer);
    2. CHROME_WIDGETWIN_1 (Google Chrome);
    3. MOZILLAWINDOWCLASS (Mozilla Firefox);
    4. SUNAWTFRAME (Java);
    5. APPLICATIONFRAMEWINDOW (Window 10 Applications); and
    6. BUTTONCLASS, MAKROBROWSER (generic bundled Internet browsers).
  4. If the class name contains one of the substrings, jump to step five. If not, return to step one after a short pause.
  5. Get the text title of a foreground window.
  6. Compare the title with an elaborate list of decrypted strings of bank names and banking web application names.
  7. If the window title contains one of the above substrings, the malware commences its malicious activity. If none are found, it returns to step one after a short pause.

When it comes to specific banks, the malware may check for some additional details to make sure a concrete online banking page is indeed being navigated by the victim.

Upon confirming that the victim is browsing a bank’s website and an active window was successfully matched with a target bank, EmbusteBot collects general information about the infected endpoint’s operating system (OS) and hardware environment in the following format, where XX-XX-XX-XX is the MAC address of a victim’s machine:

MACHINE_NAME;Windows X Service Pack X(version X.X, BUILD XXXX XX-bit Edition)Disabled;XX-XX-XX-XX;Disabled;0.0.4.

Next, the malware sends the information to the botmaster, encoded in BASE64 format string. One of the command-and-control (C&C) server URLs we found for EmbusteBot was: www[.]calculadora05[.]debitopendentes[.]com.

An additional C&C server appears to be primarily used to control the malware’s operations: www[.]20-02-2017[.]certidaonegativas[.]com.

Selective Social Engineering

In some cases, EmbusteBot further masks its suspicious activity with a fake overlay window informing victims that a protection module is being downloaded to prevent information theft, as shown in Figure 4. It attempts to gain trust by faking a Trusteer Rapport logo.

Reverse Engineering Brazilian Malware
Figure 4: EmbusteBot shows a fake window that recommends downloading a protection module to the victim’s endpoint, attempting to imitate the Trusteer Rapport logo to gain trust.

Brazilian Malware: If It Ain’t Broke, Don’t Fix It

The past several years show that the Brazilian cybercriminal scene has come a long way in terms of using malware to facilitate bank fraud. Fraudsters continue to adopt various techniques to infect more potential victims. EmbusteBot is not fully generic in its activity against banks like other malware of its kind. Rather, it can add selective strategies against different bank clients while targeting the largest banks in Brazil.

IoCs of Researched Elements for EmbusteBot

Hash of executable: 6c37f672722c0f4ba744e1159035feff933ddee0e1e5a59e05f3fed53be42395

Hash of malicious DLL: c3b8dba30e7c32d88b506de4cd5ddee80fcf28a339205fc50331913ba70f6d6c

IBM Security has been helping banks identify and prevent the activity of financial malware, including the techniques described in this article, for years. To learn more about our anti-fraud solutions, please visit IBM Security.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

The post Brazilian Malware Never Sleeps: Meet EmbusteBot appeared first on Security Intelligence.

Source: /c7EjKS6gTt1/3~/ecnegilletnIytiruceS/r~/moc.elgoog.yxorpdeef

“Brazilian Malware Never Sleeps: Meet EmbusteBot”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud