Malware Alert CHM Help Files Deliver Brazilian Banking Trojan

Discussion in 'Security News' started by Solarquest, Dec 20, 2017.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,835
    14,601
    Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan.

    Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researcher at Trustwave in a technical write-up outlining the research.
    ....
    ...
    ...
    The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample,” Mendrez said.
     
    ZeroDay, Opcode, silversurfer and 7 others like this.
  2. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,835
    14,601
  3. Faybert

    Faybert Level 10
    AV Tester

    Jan 8, 2017
    463
    1,925
    Brasil
    Windows 10
    G-Data
    It is no longer a new banking Trojan here in Brazil, we have had many cases years ago, unfortunately.
     
    Dr4ke, Opcode, shmu26 and 2 others like this.
  4. Faybert

    Faybert Level 10
    AV Tester

    Jan 8, 2017
    463
    1,925
    Brasil
    Windows 10
    G-Data
    By the chart, I believe that Emsisoft, F-Secure, eScan, G Data and Arcabit, took advantage of the Bitdefender engine to detect the Banking Trojan: [​IMG]
     
    ZeroDay, Opcode, shmu26 and 4 others like this.
  5. Sephiroth Source

    Jul 13, 2015
    46
    180
    Here in Brazil people usually click on everything that is link, either by email, social media, etc. I've already run HMP on a notebook from a friend and the program has detected a thousand and one traces of infection ...
     
    Opcode, Faybert, shmu26 and 1 other person like this.
  6. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,265
    13,565
    Utopia
    If this is a known malware, targeting a large country, how come the majority of AVs still cannot detect it? The malcoders must be modding it all the time.
     
  7. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    #7 Andy Ful, Dec 21, 2017
    Last edited: Dec 21, 2017
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,265
    13,565
    Utopia
    This is what Hard_Configurator does, correct?
     
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,314
    Caille
    Windows 10
    Problem between static and dynamic.

    Some vendors might have a good memory scanner, others might not. A memory scanner could allow normal generic signatures to detect malicious code based on patterns even if the sample was packed, after it had decrypted (unpacked) itself in memory. Although, some vendors might just refer to "memory scanning" as detecting process start-up and applying normal scanning to the image on disk for that newly starting process.

    Another example would be general dynamic analysis. One vendor might intercept behavior and use this to flag as suspicious/malicious or not, whereas another vendor might not.

    So when you have a well-made malware sample in the wild, especially something sensitive like targeting bank credential theft, the detection results will vary. If checksum hash detection flags a sample, one update to the sample will eradicate the detection's. If generic signatures are applied to flag the sample, packing will eradicate the detection's for the vendors that don't have a good memory scanner. Even if a product has a good memory scanner, a malware author might re-update the malware to exploit a vulnerability in the memory scanner (e.g. put the scanner off-guard in the wrong direction, find a way to trap the scanning, etc.).

    And then you have metamorphism... Which is "re-programming". So every-time the malware becomes active, code execution is slightly different each time. This can be used to evade detection sometimes very well, as long as it is implemented and handled very well. However metamorphism can be extremely sophisticated when being done correctly, something that 99% malware authors cannot do properly under a general scenario. Used to be quite popular with virus infections though, where the injected code into the affected documents would differ for each/each set of documents targeted.

    Oh, and then you also have instruction virtualisation when dealing with Assembly. Heavens Gate to execute 64-bit code from an 32-bit compiled process running on a 64-bit environment may also evade Anti-Virus software depending on the capabilities of the currently tested product, and so on.

    So there are just so many of different reasons that a product may flag or not under different circumstances. It depends on the malware authors skill-set, the sample itself (what it is for, how it works) and how the security product being tested against the product works (e.g. capabilities it has, measures it takes to do this and that, etc.).
     
  10. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    #10 Andy Ful, Dec 21, 2017
    Last edited: Dec 22, 2017
    Yes, in recommended settings. It follows from the fact, that Software Restriction Policies in default-deny settings automatically set PowerShell to Constrained Language mode.
    Yet, this can be also applied using a simple reg tweak.:)
    Constrained Language restricts PowerShell, so for example, it cannot use advanced PowerShell commands (like New-Object Net.WebClient) to download something from the Internet. Some malware can be compiled to use PowerShell via System.Management.Automation.dll (not using powershell.exe at all), but they can be stopped by Constrained Language setting, too.
    Constrained Language mode can stop most of the attack tools based on PowerShell (Metasploit, etc).
    .
    Edit.
    Important for Windows 7 users who want to set PowerShell to Constrained Language mode (see point 4 in the below post):
    How-to Guide - How do you secure PowerShell?
     
  11. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,265
    13,565
    Utopia
    I don't have SRP enabled in hard_configurator, but I have enabled "no powershell exec". Does this accomplish the same purpose?
     
    Der.Reisende likes this.
  12. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,835
    14,601
    In VT still only 15/59.

    The article above as the trustwave one below provide good information on how and why the malware managed to stay under the radar for so long.

    CHM Badness Delivers a Banking Trojan
     
    Der.Reisende, Opcode and shmu26 like this.
  13. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,700
    business
    Poland
    Windows 10
    Microsoft
    No, those are different settings. The better way is using recommended Hard_Configurator settings, and add global whitelisting for EXE and MSI files + whitelisting the TEMP folder in your UserProfile:
    <Whitelist By Path> <Add Path*Wildcards> --> *.exe
    <Whitelist By Path> <Add Path*Wildcards> --> *.msi
    <Whitelist By Path> <Add Folder> --> choose the TEMP folder in your UserProfile. (...AppData\Local\Temp)
    Now, you can use EXE and MSI files as usual.
    This will give you Constrained Language mode and you can also selectively block sponsors (bitsadmin.exe, powershell.exe, powershell_ise.exe, etc.). Additionally SRP will block running by the user files with dangerous extensions (BAT, CHM, SCR, JAR, etc.) .
    SRP will stop the banking trojan by dangerous file extension (CHM).
     
    Der.Reisende, shmu26 and Opcode like this.
Loading...
Similar Threads Forum Date
Special Samples CHM HELP FILES DELIVER BRAZILIAN BANKING TROJAN Malware Vault (Samples) Dec 21, 2017
SOLVED Filestore72 redirect removal help Malware Removal Assistance For Windows Aug 7, 2017
Osiris Infected my compter and encrypted 75k Files need help!!! Malware Removal Assistance For Windows Mar 21, 2017