Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Sneaky .BAT File Leads to Spoofed Banking Page

If you thought using BAT files was an old hat, think again. While monitoring our Secure Email Gateway Cloud service, we came across several suspect spam emails targeting Brazilian users. The figure below shows email details to trick and entice users to open the attachment.

9382_5715272b-450b-4b4d-951a-517d96c421ae

 

The word "paulistano" is used for 'things that belong, or are coming from, São Paulo' thus making it more appealing to unsuspecting users.

Here is the English Translation:

Subject: Attached is São Paulo's fiscal note, N – 7632630091

Body:

Attached is the invoice of the provision of services

Regards Josa Martins

Phone (11) 99876-6625

Attachment: Nota Fiscal - Pauline City Hall.zip

The attached ZIP file holds a batch file which is intentionally UTF-16 encoded. When opened on a text editor it shows some traditional Chinese characters.

10453_89e06cc6-2bcb-47d1-b2e6-6367a7a2fd35


A byte order mark (BOM) of 0xFEFF is placed at the start of the file (signifies start of a Unicode text stream) that effectively hides the batch codes. However, here's how it looks in a hex-editor:

11842_cc04c01b-4e40-432a-98d2-9781f0743403

 

 

Analyzing the batch file uncovers the following behavior:

  1. Initially creates a directory on C:\{random_directory_name}
    12480_eb83b320-2a10-44ee-aa29-19704c4fa9f6
  2. Using PowerShell commands, it downloads a PowerShell Script and the PShellExec.exe.
    10241_7f5fb0ec-8ffb-4a71-b4eb-09e28ec00bcc
  3. By using the PShellExe.exe, it will first encrypt the downloaded PowerShell script, delete the original one and runs the encrypted script.BSL_7605_00587417-141a-476e-8165-8a06d913110f
  4. Lastly, it will create a VBScript that allows for the execution of the encrypted PowerShell script. For persistence it will create a symbolic link in the STARTUP Folder.8332_233bb4e5-8440-4832-aaca-84d36550ee9a

 

 

Analyzing the PowerShell Script:

As an initial impression, the script appears to use an existing PowerShell Script written by Matthew Graeber. It is also known as the PowerSyringe, a PowerShell-based Code/DLL Injection module. The threat actors basically append some of the following code:

  1. Generates random characters to be used to create directories.9432_59aae3ad-c6fe-4397-b43d-af6c49e8b143
  2. Checks the OS version if 32bit or 64bit and downloads the corresponding DLL.

    Decoded Base64 Links:

    hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.64.dll
    hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.dll8751_37e81fb6-1b06-4b95-b36f-3448c698bf34

  3. Using the PowerSyringe Module, it injects the DLL to svchost.exe
    11647_c3ad4663-6b63-4660-95a1-04884f5414fb

 

 

Injected DLL – The MultiBanker Trojan

Once the DLL is properly injected to svchost.exe it starts to monitor the user's activity to see if they try to access Brazilian banks. Once a user visits the online banking sites, it will overlay the screen with a fake form that enable the attackers to retrieve the user's PIN codes.

Here are the following banks and the fake forms that are used to overlay the screen:

  1. Banrisul11691_c598640a-ea48-4e38-95fe-1053334391e9
  2. Itaú Unibanco9180_4d7a40b8-cc8a-4819-af85-dc974f3b5858
  3. Banco do Nordeste11977_d2f85e73-e9a4-47b9-bcfd-452afd3ee424
  4. Banco Santander
    10835_9c1ced26-97d0-482b-90f8-fdb46fce389c
  5. Sicoob7754_077a150f-8b19-46ed-adea-f25788f528cd
  6. Sicredi7835_0aa9ad67-7125-4028-ab7c-6ef7ba7ce2a2

 

Indicators of Compromise:

Nota-Fiscal - Prefeitura Paulistana.bat - attached from an email
MD5: 70EA097616DFC8D4AE8B8AD4BDB1CD96
SHA1: E830EC9F194BF72740D9AB62B633E0862E18A143

Ma{username}.vbs - created by batch file
MD5: 7FDD656E476FC4AEFF19609FD14FB070
SHA1: 451515709EEE19D680A622753CB6802056ED84A5

1.ps1 - downloaded
MD5: BA0239533DD7F85CB0D1DF58FC129222
SHA1: 7366B78713808D4A23C9FC8B141D1DF1C2FB1FED

{random}.ps1.bin - encoded 1.ps1
MD5: BAFAEBF21A288826525BA0703EFC384B
SHA1: A4049F8FE337D148B25DD60AA7F1BF9E783538DD

PShellExec.exe - downloaded
MD5: B34B92270968DB55AB07633C11AD0883
SHA1: EF2AB66243F385559792ED6360D4A5C0D435C328

Arquiteto.64.dll - downloaded - for x64 machines
MD5: ED053046882301A893DDA1171D62DD50
SHA1: 0A1731A6D594C908866A9A317DE9AAA1BADD3AB1

Arquiteto.dll - downloaded - for x86 machines
MD5: E94EA2673908D605F08C6A6D666DC97E
SHA1: 836C0521DF76EDF48447CA1218DFBF3725010F51

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More