Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
If you thought using BAT files was an old hat, think again. While monitoring our Secure Email Gateway Cloud service, we came across several suspect spam emails targeting Brazilian users. The figure below shows email details to trick and entice users to open the attachment.
The word "paulistano" is used for 'things that belong, or are coming from, São Paulo' thus making it more appealing to unsuspecting users.
Here is the English Translation:
Subject: Attached is São Paulo's fiscal note, N – 7632630091
Body:
Attached is the invoice of the provision of services
Regards Josa Martins
Phone (11) 99876-6625
Attachment: Nota Fiscal - Pauline City Hall.zip
The attached ZIP file holds a batch file which is intentionally UTF-16 encoded. When opened on a text editor it shows some traditional Chinese characters.
A byte order mark (BOM) of 0xFEFF is placed at the start of the file (signifies start of a Unicode text stream) that effectively hides the batch codes. However, here's how it looks in a hex-editor:
As an initial impression, the script appears to use an existing PowerShell Script written by Matthew Graeber. It is also known as the PowerSyringe, a PowerShell-based Code/DLL Injection module. The threat actors basically append some of the following code:
Decoded Base64 Links:
hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.64.dll
Once the DLL is properly injected to svchost.exe it starts to monitor the user's activity to see if they try to access Brazilian banks. Once a user visits the online banking sites, it will overlay the screen with a fake form that enable the attackers to retrieve the user's PIN codes.
Here are the following banks and the fake forms that are used to overlay the screen:
Nota-Fiscal - Prefeitura Paulistana.bat - attached from an email
MD5: 70EA097616DFC8D4AE8B8AD4BDB1CD96
SHA1: E830EC9F194BF72740D9AB62B633E0862E18A143
Ma{username}.vbs - created by batch file
MD5: 7FDD656E476FC4AEFF19609FD14FB070
SHA1: 451515709EEE19D680A622753CB6802056ED84A5
1.ps1 - downloaded
MD5: BA0239533DD7F85CB0D1DF58FC129222
SHA1: 7366B78713808D4A23C9FC8B141D1DF1C2FB1FED
{random}.ps1.bin - encoded 1.ps1
MD5: BAFAEBF21A288826525BA0703EFC384B
SHA1: A4049F8FE337D148B25DD60AA7F1BF9E783538DD
PShellExec.exe - downloaded
MD5: B34B92270968DB55AB07633C11AD0883
SHA1: EF2AB66243F385559792ED6360D4A5C0D435C328
Arquiteto.64.dll - downloaded - for x64 machines
MD5: ED053046882301A893DDA1171D62DD50
SHA1: 0A1731A6D594C908866A9A317DE9AAA1BADD3AB1
Arquiteto.dll - downloaded - for x86 machines
MD5: E94EA2673908D605F08C6A6D666DC97E
SHA1: 836C0521DF76EDF48447CA1218DFBF3725010F51
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.