Hackers Add Security Software Removal to Banload Banking Malware

[silversurfer]

Content source

https://www.securityweek.com/hackers-add-security-software-removal-banload-banking-malware

There are two primary characteristics of the Brazilian hacking scene: a focus on Brazil, and the adaptability of the hackers. Very strict money laws make trans-border money movement difficult, ensuring that most targets remain local; and the hackers tend to move on to new targets when the current one becomes too difficult.

Hackers targeting banks are an exception -- banking malware is focused on banks and bank users, and cannot readily be moved to a different type of victim. SentinelOne has now analyzed a new development within perhaps the most prolific Brazilian banking malware, Banload, that highlights the hackers' adaptability. Unable to move to easier targets, they are seeking to make their targets easier.

Banload has been analyzed before by Cybereason (it is one of the few Brazilian malwares to spread out of Brazil, targeting other Spanish-speaking countries including Argentina, Bolivia, Chile, Venezuela and Spain). Even though it has been found elsewhere, ESET reported on April 30, 2019 that 82.9% of its detections are found within Brazil's national borders.

Brazil is the most populous country in South America, making it a rich target for bank fraud. Online banking has been increasing for several years. So, too, has the general level of cyber hygiene among the population, making successful bank fraud more difficult. To counteract this, the hackers have introduced a new component into Banload, known internally as 'FileDelete'. It is a kernel mode driver designed to remove the software drivers and executables of popular anti-malware and banking protection programs.

FileDelete is delivered via PowerShell to the local directory "C:\G DATA Security Software". It is protected by a code signing certificate under the name of M2 AGRO DESENVOLVIMENTO DE SISTEMAS LTDA, signed on March 31, 2019; and it removes software products belonging to AVG, Trusteer Rapport, Avast, and the Bradesco software "scpbrad".
It does this with an irpStack walk via IRP_MJ_SET_INFORMATION... -> FileDispositionInformation-> DeleteFile.

"While the signed driver itself does not appear to be sophisticated," says SentinelOne, "its custom implementation demonstrates that the group behind Banload continues to innovate and adopt newer tools meant for fraud operations while installed on the victim machines."

 

[Andy Ful]

"FileDelete is delivered via PowerShell to the local directory "C:\G DATA Security Software". It is protected by a code signing certificate under the name of M2 AGRO DESENVOLVIMENTO DE SISTEMAS LTDA, signed on March 31, 2019; "

That should be remembered when one compares malware detection tests with real-world tests.
The final malware, which can avoid antivirus detection and badly infect the system, is usually Windows binary (EXE, DLL) - the most dangerous malware can be also digitally signed. Such malware samples are often tested in the standard malware tests.

In the real-world tests, this kind of malware is usually avoided, because it cannot magically appear on the user's computer, but must be first delivered. The infection chain starts usually with a phishing email which contains a malicious attachment (document, script, link). After opening, the attachment triggers the obfuscated script or downloader command (VBS, JS, CMD, BAT, LNK, etc.), which can download EXE, DLL binary payload. If one can stop the delivery method by blocking phishing links, disabling active content in documents, disabling scripts, blocking shortcuts, etc., then the most dangerous EXE, DLL binaries will not touch the computer at all.

 

[shmu26]

Such malware samples are often tested in the standard malware tests.

Has there been an increase in signed malware?

 

[Andy Ful]

Has there been an increase in signed malware?

Yes, but there was also an increase of all malware.