Banking trojan campaign uses commercial packers to target Brazilian users

Be wary of suspicious emails.

David bisson
David Bisson

Banking trojan campaign uses commercial packers to target Brazilian users

A banking trojan campaign is using commercial packing platforms to evade analysis and thereby successfully infect unsuspecting users.

Attacks begin when a user receives a spam email. The emails are written in Portuguese to improve the chances that a Brazilian user will open the message, click the HTML attachment named BOLETO_2248_.html, accept two redirects leading to a .rar file, open the archive, and double click a JAR file. These steps initiate installation of the banking trojan.

Malicious spam email sample. (Source: Cisco Talos)

Double clicking the JAR file loads up malicious code that, in turn, retrieves binaries for the banking trojan. The first binary it executes is called “vm.png.” It’s a legitimate binary signed by VMware that comes with vmwarebase.dll, a malicious dependency.

Sign up to our free newsletter.
Security news, advice, and tips.

Warren Mercer, Paul Rascagneres, and Vanja Svajcer of Cisco Talos explain the attackers crafted that binary execution chain deliberately:

“This technique has been used previously by other actors such as PlugX. The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks.”

At that point, the vmwarebase.dll code injects and executes prs.png code in explorer.exe. Doing so loads up the banking trojan’s main module, which comes with an autostart registry key and the ability to inspect the user’s window in the foreground for titles of well known financial institutions based in Brazil. The main module also executes a binary gps.png with undll32.exe, the library for which is packed using Themida.

rundll32.exe. (Source: Cisco Talos)

Mercer, Rascagneres and Svajcer are concerned by this development:

“Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.”

Acknowledging the ongoing threat posed by and evolution of banking trojans, users should follow security best practices to protect themselves against common digital threats. Those recommendations include exercising caution around suspicious links and email attachments, not downloading files from unfamiliar web resources, and installing an anti-virus solution on their machines.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Banking trojan campaign uses commercial packers to target Brazilian users”

  1. Mark Jacobs

    "Doing so loads up the banking trojan's main module, which comes with an autostart registry key …"

    That would be spotted by a product like MJ Registry Watcher fairly immediately!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.