Security News Legitimate VMware Binary Abused for Banking Trojan Distribution

[silversurfer]

A recently discovered banking Trojan campaign has been abusing a legitimate VMware binary to trick security products into allowing malicious binaries to load, Cisco researchers reveal.

The campaign, the security researchers say, also attempts to remain stealthy by using multiple methods of re-direction when infecting the victims’ machines. Furthermore, the attackers use a variety of anti-analysis techniques, while also employing a final payload written in Delphi, a technique rather unique to the banking Trojan landscape.

Focusing mainly on users in Brazil, the attack starts with malicious spam emails featuring messages written in Portuguese. The attackers are also attempting to convince the victim to open a malicious HTML attachment posing as a Boleto invoice.

The HTML file contains a URL that first redirects to a goo.gl URL shortener, which in turn redirects to a RAR archive containing a JAR file with malicious code that instalsl a banking Trojan. The Java code sets up the working environment of the malware and then downloads additional files from a remote server.

The Java code renames the downloaded binaries and also executes a legitimate binary from VMware, which is even signed with a VMware digital signature, the security researchers say. By loading a legitimate binary, the attackers attempt to trick security programs into trusting the libraries it would load.

One of these libraries, however, is a malicious file named vmwarebase.dll, meant to inject and execute code in explorer.exe or notepad.exe. The banking Trojan’s main module was designed to terminate the processes of analysis tools and create an autostart registry key.

The module also gets the title of the window in the foreground of the user, thus being able to identify if any of the windows pertains to a targeted financial institution located in Brazil. The Trojan then uses web injects to trick users into revealing their login credentials.

One other binary the main module loads is packed using Themida, which makes its analysis very difficult, the security researchers say. The malware was also observed sending specific strings to the command and control server each time an action was performed on the infected system.

“Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis,” Cisco concludes.

 

[Deleted member 65228]

1. Injecting a DLL into explorer.exe isn't stealthy at all (unless it used manual map)- regardless of the DLL name/digital signature, since when did VMWare inject a DLL into explorer.exe? Never.
2. Terminating analysis tools is not stealthy at all? That just makes you aware and start investigating why those analysis tools cannot be opened.
3. Themida is not difficult to unpack at all AFAIK (haven't encountered a Themida packed sample for awhile but I recall quick debugging with OllyDbg, dumping and then fixing IAT worked fine in the past).

Does anyone know what browsers were affected by the WebInject?

Thankfully:
1. AppGuard would have blocked injection into other processes due to the memory protection.
2. Kaspersky Application Control would have blocked the memory manipulation for injection also.
3. Emsisoft Anti-Malware would have picked up the code injection with the BB.
4. Any good Sandbox would contain it without a problem.

 

[Anker_by]

I never see this before using Delphi, very interesting....

 

[insanity]

If the html downloads a RAR archive, wouldn't you have to extract and manually execute the malicious file? If so, then you must be very naive to get infected.

 

[Solarquest]

Some good news..VT 31/64
VirusTotal

And 42/64 for the full
VirusTotal
Cisco's Talos Intelligence Group Blog: Banking Trojan Attempts To Steal Brazillion$