Threat actors have been discovered to be using a new technique for deploying the CHAVECLOAK banking trojan to target users in Brazil.
This trojan is capable of stealing sensitive information related to financial activities.
The attack vector uses a malicious email with a PDF file which downloads a ZIP file and utilizes DLL side-loading techniques to execute the final malware.
The Command and Control server telemetry of this malware reads that most of the traffic is from Brazil.
Attack flow vector of CHAVECLOAK (Source: Fortinet)
CHAVECLOAK Malware Hack Windows
According to the reports shared by Fortinet, the initial attack vector of this banking trojan involves a phishing email that mentions an attachment related to a contract that must be signed using the link in the email.
Phishing email (Source: Fortinet)
This link was generated using a free URL link shortener service “Goo.su” which points to a server for downloading a malicious ZIP file.
This ZIP contains an MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi”.
Document
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
-
Interact with malware safely
-
Set up virtual machine in Linux and all Windows OS versions
-
Work in a team
-
Get detailed reports with maximum data
MSI Installer
The malicious “NotafiscalGFGJKHKHGUURTURTF345.msi” is extracted when the ZIP file is decompressed. Decompressing the MSI file further shows the contents of the MSI installer.
The MSI installer contains multiple TXT files along with a DLL file named “Lightshot.dll”.
Contents of the MSI installer (Source: Fortinet)
When compared with the modification dates of the other files inside the MSI file, this DLL file has the latest date which means that it has been recently modified.
Further analysis revealed that the entire configuration had been written in Portuguese.
If installed, the MSI drops these files inside the “%AppData%\Skillbrains\lightshot\5.5.0.7” folder.
The EXE file “Lightshot.exe” is also dropped at the specified folder which deploys DLL sideloading technique to activate the execution of malicious DLL “Lightshot.dll”.
Further, this malicious DLL performs the extraction of sensitive information from the compromised system.
CHAVECLOAK Banking Trojan “Lightshot.dll”
This banking trojan performs multiple operations, including gathering volume and file system information from the specified root directory.
To initiate the malware’s automatic execution, “Lightshot.exe” is added to the registry value, which triggers the malware in turn due to the DLL sideloading attack.
This establishes persistent access to the compromised system. After this, an HTTP server request is made to “hxxp://64[.]225[.]32[.]24/shn/inspecionando.php,” where the system’s geolocation is confirmed whether the victim is inside Brazil.
CHAVECLOAK performs several actions on the compromised systems such as blocking the victim screen, logging keystrokes, deceptive pop-up windows etc.
Additionally, the malware also focuses on the victim’s activities against specific financial portals, including banks and bitcoins.
Indicators Of Compromise
IP
- 64[.]225[.]32[.]24
URLs
-
hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip
-
hxxps://goo[.]su/FTD9owO
Hostnames
-
mariashow[.]ddns[.]net
-
comunidadebet20102[.]hopto[.]org
Files:
-
51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4
-
48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028
-
4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
-
131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff
-
8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c
-
634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9
-
2ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e55
