Malware Alert CHM Help Files Deliver Brazilian Banking Trojan

Solarquest

Moderator
Staff member
AV-Tester
Joined
Jul 22, 2014
Messages
1,940
#1
Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan.

Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researcher at Trustwave in a technical write-up outlining the research.
....
...
...
The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample,” Mendrez said.
 
Joined
Dec 23, 2014
Messages
1,527
OS
Windows 10
Antivirus
Microsoft
#7
Last edited:

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#9
If this is a known malware, targeting a large country, how come the majority of AVs still cannot detect it? The malcoders must be modding it all the time.
Problem between static and dynamic.

Some vendors might have a good memory scanner, others might not. A memory scanner could allow normal generic signatures to detect malicious code based on patterns even if the sample was packed, after it had decrypted (unpacked) itself in memory. Although, some vendors might just refer to "memory scanning" as detecting process start-up and applying normal scanning to the image on disk for that newly starting process.

Another example would be general dynamic analysis. One vendor might intercept behavior and use this to flag as suspicious/malicious or not, whereas another vendor might not.

So when you have a well-made malware sample in the wild, especially something sensitive like targeting bank credential theft, the detection results will vary. If checksum hash detection flags a sample, one update to the sample will eradicate the detection's. If generic signatures are applied to flag the sample, packing will eradicate the detection's for the vendors that don't have a good memory scanner. Even if a product has a good memory scanner, a malware author might re-update the malware to exploit a vulnerability in the memory scanner (e.g. put the scanner off-guard in the wrong direction, find a way to trap the scanning, etc.).

And then you have metamorphism... Which is "re-programming". So every-time the malware becomes active, code execution is slightly different each time. This can be used to evade detection sometimes very well, as long as it is implemented and handled very well. However metamorphism can be extremely sophisticated when being done correctly, something that 99% malware authors cannot do properly under a general scenario. Used to be quite popular with virus infections though, where the injected code into the affected documents would differ for each/each set of documents targeted.

Oh, and then you also have instruction virtualisation when dealing with Assembly. Heavens Gate to execute 64-bit code from an 32-bit compiled process running on a 64-bit environment may also evade Anti-Virus software depending on the capabilities of the currently tested product, and so on.

So there are just so many of different reasons that a product may flag or not under different circumstances. It depends on the malware authors skill-set, the sample itself (what it is for, how it works) and how the security product being tested against the product works (e.g. capabilities it has, measures it takes to do this and that, etc.).
 
Joined
Dec 23, 2014
Messages
1,527
OS
Windows 10
Antivirus
Microsoft
#10
This is what Hard_Configurator does, correct?
Yes, in recommended settings. It follows from the fact, that Software Restriction Policies in default-deny settings automatically set PowerShell to Constrained Language mode.
Yet, this can be also applied using a simple reg tweak.:)
Constrained Language restricts PowerShell, so for example, it cannot use advanced PowerShell commands (like New-Object Net.WebClient) to download something from the Internet. Some malware can be compiled to use PowerShell via System.Management.Automation.dll (not using powershell.exe at all), but they can be stopped by Constrained Language setting, too.
Constrained Language mode can stop most of the attack tools based on PowerShell (Metasploit, etc).
.
Edit.
Important for Windows 7 users who want to set PowerShell to Constrained Language mode (see point 4 in the below post):
How-to Guide - How do you secure PowerShell?
 
Last edited:

shmu26

Level 60
Joined
Jul 3, 2015
Messages
4,968
OS
Windows 10
#11
Yes, in recommended settings. It follows from the fact, that Software Restriction Policies in default-deny settings automatically set PowerShell to Constrained Language mode.
Yet, this can be also applied using a simple reg tweak.:)
Constrained Language restricts PowerShell, so for example, it cannot use advanced PowerShell commands (like New-Object Net.WebClient) to download something from the Internet. Some malware can be compiled to use PowerShell via System.Management.Automation.dll (not using powershell.exe at all), but they can be stopped by Constrained Language setting, too.
Constrained Language mode can stop most of the attack tools based on PowerShell (Metasploit, etc).
I don't have SRP enabled in hard_configurator, but I have enabled "no powershell exec". Does this accomplish the same purpose?
 
Likes: Der.Reisende
Joined
Dec 23, 2014
Messages
1,527
OS
Windows 10
Antivirus
Microsoft
#13
I don't have SRP enabled in hard_configurator, but I have enabled "no powershell exec". Does this accomplish the same purpose?
No, those are different settings. The better way is using recommended Hard_Configurator settings, and add global whitelisting for EXE and MSI files + whitelisting the TEMP folder in your UserProfile:
<Whitelist By Path> <Add Path*Wildcards> --> *.exe
<Whitelist By Path> <Add Path*Wildcards> --> *.msi
<Whitelist By Path> <Add Folder> --> choose the TEMP folder in your UserProfile. (...AppData\Local\Temp)
Now, you can use EXE and MSI files as usual.
This will give you Constrained Language mode and you can also selectively block sponsors (bitsadmin.exe, powershell.exe, powershell_ise.exe, etc.). Additionally SRP will block running by the user files with dangerous extensions (BAT, CHM, SCR, JAR, etc.) .
SRP will stop the banking trojan by dangerous file extension (CHM).