Phishing campaign uses old ".bat" script to spread banking malware - and it is flying under the radar
Last Updated: 2017-12-04 00:04:13 UTC
by Renato Marinho (Version: 1)
While hunting this week, I came across a phishing campaign spreading a banking malware using an old DOS Batch script to drop it. Surprisingly enough, the “.bat” file has a VT 0/58 rating helping cybercriminals targeting 9 different Brazilian Banks. In today’s diary, I’ll give some details about this underway campaign and its indicators of compromise (IOCs).
Let’s start with the malware analysis flow in Figure 1, from the e-mail phishing to the credentials theft.
Figure 1 – Malware analysis
In an attempt to hide the ".bat" script code the contents of the file is encoded in UTF-16 with Chinese characters, as seen in Figure 2.
Figure 2 - ".bat" script with UTF-16 encoding
Figure 3 shows the part of the script that identifies the victim's processor architecture and downloads a ".zip" containing the other malware pieces.
Figure 3 – Batch script downloading the rest of the malware files
Next, a VBS is created to execute a powershell script contained in the System.ps1.bin file, as seen in Figure 4.
Figure 4 - VBS script creation for Powershell script execution
The objective of the powershell script is to inject the malicious "DLL" into a Windows process. In the malware samples I analyzed, the processes chosen for injection were "explorer.exe" and "svchost.exe".
Once in execution, the DLL performs the identification of the victim's geographic location using "ip-api.com/json/", as seen in Figure 5 and, subsequently, verifies anti-virus and banking software installed in the victim's system.
Figure 5 – Victim Geolocation
The collected information is encoded in base64 and sent to the attackers through an HTTP connection, as can be seen in Figure 6.
Figure 6 - C&C communication
From this moment on, malware will monitor victim’s access to 9 different Brazilian financial institutions and apply a screen overlay using fake forms. This way, the victim's typing is done on the malware form and the information is sent to the cybercriminals.
In addition, after detailed analysis, it was possible to reverse the binary strings and discover the malware key logger and remote access capabilities, as seen in Figure 7.
Figure 7 – Reversing binary strings
Indicators of Compromise (IOCs)
Use the indicators listed below to prevent possible infections in your organization as well as to verify if your environment has already been compromised by this threat.
e26e6b2d6da1b396d5be6f99731d0bed2afbb803f51f42f34ae8fe8fdd043878 c9416ba1a87da4bf89520d8d4493c4bf76ace4de5ea62299e7f00f6af9d89dd5 12802aa40908fb8821f26d0c09039586ed3bf511c143ca0e8f9ccced29d1cc6b 3a888d7e39083a10827ad25af083d60e8e65cf6177ce57d5ae73fb752df9e77d ba263af4baf72ae579a63ec51b5a7f576438c0c0abcd301137490703d63961a3