Cisco researchers discovered a malware campaign abusing a legitimate VMware binary to spread a banking Trojan.
The threat actor behind the campaign uses multiple methods of re-direction when infecting the victims’ machines in order to remain under the radar, it also implemented a variety of anti-analysis techniques.
The malware is written in Delphi, a novelty for the banking Trojan landscape.
The campaign mainly targeted Brazil users, the attackers used malicious spam emails featuring messages written in Portuguese that attempt to convince the victim to open a malicious HTML attachment posing as a Boleto invoice.
“Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors. ” reads the analysis published by Talos Security.
“The attacker used an email written in Portuguese which makes it seemingly more legitimate for the user – receiving email in a native language gives the attackers a higher likelihood of achieving their mission objective, convincing the victim to open the malicious attachment.”
The HTML file contains a URL that first redirects to a goo.gl URL shortener, then the service performs a second redirect to an RAR archive containing a JAR file named BOLETO_09848378974093798043.jar.
If the user double clicks on the JAR file, java will execute the malicious code and will start the installation of the banking trojan.
The Java code first sets up the working environment of the malware and then downloads additional files from a remote server.
Once the binaries are downloaded by the Java code, it renames them and executes a legitimate binary from VMware (signed with a VMware digital signature) in the attempt to trick security programs into trusting the libraries it would load.
One of these libraries, however, is a malicious file named vmwarebase.dll, meant to inject and execute code in explorer.exe or notepad.exe.
” The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks.” continues the analysis.
“The purpose of the vmwarebase.dll code is to inject and execute the prs.png code in explorer.exe or in notepad.exe depending on the context of the user account.”
The main module of the banking trojan implements a lot of features, one of them is the ability to terminate the processes of analysis tools and create an autostart registry key.
The banking Trojan leverages web injects to trick users into revealing their login credentials.
One of the binaries loaded by the main module is packed using the commercial packing platform Themida to make the analysis very difficult.
Further details, including the Indicators of Compromise are available in the report published by Cisco Talos.