By Alexandre Siviero (updated April 29) - This is an analysis of a Brazilian banking malware first seen in 2017, called Ousaban, or Javali. There is an ongoing campaign spreading this malware by phishing electronic invoices. Once established on the victim's machine, this malware lies dormant until the user accesses payment services in the browser, such as Mercado Pago. At that point it connects to a control server to steal credentials and payment data.
Phishing with electronic invoices
We have observed an ongoing campaign in the last month with emails whose sender poses as a generic city hall that is sending electronic invoices. The phishing directs the user to an MSI installer that contains a malicious routine to infect machines with the Brazilian banking malware Ousaban/Javali.
In this report, we will demonstrate how the MSI file was analyzed to identify and de-fuse the malicious code for downloading and executing this malware.
The campaign starts with a phishing campaign with a sender name "Prefeitura Municipal" (City Hall). Its subjects follow the pattern "✅ Emissao de NF-e Pedido: (82234018574) Nota Fiscal Eletronica - 12/04/2022", where the order number and date vary. An example of the message content is provided in the image below.
The target's name was suppressed, but the CPF was not. All messages allude to the Individual Taxpayer Registry, but without any document number. The hyperlinks suggest that the mentioned bill is available in two formats. In reality, both redirect you to the same page, shown below.
This address starts the download of a compressed (.zip) file, which contains a Windows installer (.msi) of the same name. For the specific message we demonstrated on the previous page, both are named hyh6728i0zbnnp rspehu.msi.zip and hyh6728i0zbnnp rspehu.msi.
There is no automatic execution of this content. The campaign depends on a voluntary execution of the installer by the target.
Scanning MSI Malware
So far our bulletins have dealt with malicious scripts or executables. A Windows installation file works a bit differently. It is possible to view its content in an unstructured way with any software that handles compressed files. The screenshot below demonstrates the inspection of the malicious msi using 7zip.
The problem we encounter at this point is the lack of context for the contents of the installation file. We could follow our analysis based on size and extension of the files it contains, but it is more fruitful to use software that allows the analysis of Windows installers. For this we use a program distributed by Microsoft itself called Orca.
Orca splits an installer into several tables, which in turn contain actions and conditions. In the image above we inspect the InstallExecuteSequence table, or installation and execution sequence. As its name implies, it guides Windows on what actions should be taken and in what order during the installation process. Highlighted in yellow and blue is an action with a suspicious name, sdfsdfdsfsd. To better understand what this action is about, we will go to another table: CustomAction.
Again we highlight the sdfsdfdsfsd action. This time, the Target column brings us a variable declaration. By copying all its contents into an editing tool (Notepad++) we confirm that it is an obfuscated vbscript.
Unfuscating the script
The first action of the script contained in sdfsdfdsfsd is the declaration of a variable, _$_89794564972389472398625984758798273489234987239847973423, which is referenced several times throughout the code. The image below highlights it in green to demonstrate its recurrence:
This variable contains 50 strings in hexadecimal, which are referenced in the code according to their position. This is an extremely simple obfuscation that can be undone by simply replacing the position references with the corresponding strings, converted from hexadecimal to ascii. Applying this to the image above, we get a relatively simple code:
Right away we find a new IOC, the address april140420022xx.s3.sa-east-1.amazonaws[.]com/gmtax2020. This address contains a compressed and password-protected file that is given a random name during script execution. Another routine later on is responsible for extracting it:
We have a few points of interest to address in the image above. Let's start with a new URL, april140420022xx.s3.sa-east-1.amazonaws[.]com/polarRIT. This is passed to the function downyJr (all these names are original to the script, maybe its author likes Iron Man), which is responsible for downloading the contents of the page. The second argument passed to this function is the random character generation, followed by the .exe extension. From this we conclude that the content of this address is an executable.
The line oShell.run gives the clue as to which executable this is, by means of the flags x, -o and -p. This is 7zip. The -p flag is responsible for providing a password for extracting a protected archive. The variable that carries this password has been highlighted in green: 123456ze.
The script completes its routine by extracting the password-protected file, renaming one of its components (Isname.name) to a randomly generated executable name, and calling its execution. Finally, it sends a GET request to an Azure URL, secffnb.westcentralus.cloudapp.azure[.]com/gmix/samper[.]php, (possibly warning of a successful infection).
Ousaban/Javali
When manually extracting the password-protected file, one comes across a technique that seeks to subvert the analysis of files by antivirus tools as well as their submission to cloud services: artificially inflating the size of a file to exaggerated levels. This is apparent in EDSDK.dll, which is about 785 MB in size. Most of the file is filled with zeros and after removing these empty spaces it shrinks to only 1.2 MB in size.
The Ousaban malware family (also called Boar by Kaspersky) has a tradition of protecting its malicious DLLs with absurd file sizes and executing them by DLL hijacking legitimate, signed software. In July 2020, Kaspersky observed this behavior with what appeared to be Nvidia Display software. In this 2022 version, the group uses a program called Photo On Web:
After the DLL injection, the compromised software starts communicating with this malware's command and control server(20.226.67.9). Interestingly, this communication is in Portuguese, as shown by the network logs we collected:
Sent to C2:
# C o n v i t R C # < # > W i n d o w s 7 P r o f e s s i o n a l < # > U S E R - P C < # > N a o < # > A m s t e r d a m N o r t h H o l l a n d
Received:
# S o c k e t M a i n # < # > 2 9 4 9 8 1 0 # U p l o a d F i l e # # O N - L I N E #
Sent:
# s t r P i n g O k # # R E C E B E N D O # < # > U S E R - P C
The above demo brings up a file upload command on the compromised machine. If this action does not complete, a warning is sent to C2:
# s t r P i n g O k # # P L U G I N # < # > N a o # C O M P L E T O U # < # > U S E R - P C
Besides communications with its drivers, the hijacked application also creates persistence through the Windows registry by entering itself in HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN with the key "[STRING ALEATORIA].exe" -no-startup-window -win-session-start /prefetch:5.
The UploadFile command is responsible for downloading a new legitimate and signed executable, which will also be targeted by DLL hijacking. We have observed this behavior with the software Picasa.exe (Google) and Graphic Workshop Professional (Alchemy Mindworks). As with Photo On Web, the executables are given random names and the malicious DLLs have their size inflated to about 780MB.
This new application runs and lies "dormant", without performing any action. From the moment the user of the infected machine opens the browser and accesses a website targeted by the malware, the process establishes a new connection to the control server and begins communicating via HTTPS. We notice that in the act of establishing this connection, more data about the infected machine is sent to the controllers. An example is the string below:
Sem antivirus#strPingOk##Convite##ConvitRC#<#>#UploadFile##SocketMain##RECEBENDO#<#>#ON-LINE#
We also identified that the malware retrieves its initial settings from an address that alludes to a law firm, adsadvogados[.]com/juridico/. All configuration files present in this directory (which is open to the internet) are dated April 13, 2022. An example of the contents of a configuration file is provided below:
start{
"host":"B0A091EA79EC7AEF4AE64DB5",
"port": "0000"
}end
We have not yet found all the addresses responsible for "waking up" the malware while browsing the internet, but we have confirmed that accessing the Mercado Pago site is one of the ways to trigger connections to the control server. This association had been observed by Kaspersky in 2020 (according to the report cited at the beginning of this item) and our analysis showed that it persists in these 2022 samples.
We also observed a behavior that seems to happen when the address of the control server is not available. In these circumstances, Photo On Web is closed and reopened in a loop, without a connection being established to the destination controlled by the Ousaban operators. This situation repeated itself a few times during our investigation.
It is interesting to point out that in situations where there was a connection failure with C2, no key was created in the registry as a form of persistence. It is possible that this unavailability compromises the infection of the target machine.
Income Tax Refund is also a lure
Another scam detected with Ousaban uses Income Tax as bait to lure inattentive victims. This is a case that requires more attention, since we are in the tax return period (deadline for submission is May 31, 2022), so an attack can more easily hide among legitimate communications. An example of this variant points out how the "workings" are very similar: email that looks official but reveals itself to be suspicious at a closer look, and a link that redirects to a fake website, as shown in the screenshots:
Prevention
Since it is a scam that requires the victim to click on the link, there is no single solution to be adopted to avoid it, but rather a series of good practices. The key is to pay attention to the signs: whether they are addresses that sound suspicious and/or random, or invoices for purchases that you do not remember making.
If the e-mail indicates that the content to be downloaded is a PDF, for example, and what actually appears in the downloads is not this, it is an attack (as in the two cases exposed, where what is seen is a folder in .zip format, and no invoice).
When in doubt, it is always better to consult an official source to be sure. It will be more work, but it will be worth it, to avoid what can be a tremendous headache.
IOCs (electronic invoices)
URLs
http://ip-72-167-45-95.ip.secureserver.net/.idfiscal/?hash=
https://pdf-nfe82234018756.northcentralus.cloudapp.azure.com/idcupom/?hash=
april140420022xx.s3.sa-east-1.amazonaws[.]com/gmtax2020
april140420022xx.s3.sa-east-1.amazonaws[.]com/polarRIT
secffnb.westcentralus.cloudapp.azure[.]com/gmix/samper[.]php
ip-api.com
adsadvogados[.]com
adsadvogados[.]com/juridico/
adsadvogados[.]com/juridico/geo1.txt
adsadvogados[.]com/juridico/geo.txt
adsadvogados[.]com/juridico/reuniao.txt
adsadvogados[.]com/juridico/sh.txt
adsadvogados[.]com/juridico/sh1.txt
IP Addresses
20.226.67.9 (C2)
20.231.51.105
Phishing e-mail
root@marf5.notasonlinevmbc.org
40.114.206.69
Artifacts
Compressed installer (hyh6728i0zbnnp rspehu.msi.zip):
B6BFFF299048888CECF4985E3546C7DA70EB0C33BE24456FEAC7D4BE58B1DEB2
Post-extraction installer (hyh6728i0zbnnp rspehu.msi):
9091A791B900C6B7398B38B4641EDFF93036F83A36E1244594D5ECFD664B9931
Password compressed files:
0B36DE4D494A750AA46E2C2EE60B515B30E5A86BEB9DE8142DAD54AA79361EFF
86A92468CCF83EC66FCCB5C7DDD8CC7C7CED1BA9F79DDD3515175085484E3838
Photo On Web version:
4ED66AD6E2CA374221ED660177521DC2C4DB9492A048C52410931B86A66CC837
Inflated DLL (EDSDK.dll)
0082CB5F94FA2E9E0010439A06CC022481B92DBD569DED0DDC73DBF7E8EE3507
Picasa version:
ABBF57F0882021EBCC31AA2B1C9303CA083B609E44CC8F50D387BD68F7B50634
Version of Graphic Workshop Professional:
A2E2DC14BE9EA407BEAFE99762F2C0193EB554135C0D8AA5249DE47403754483
Messages exchanged between malware and C2:
# P R I N C I P A L #
# C o n v i t e # # S o c k e t M a i n # < # > [NÚMERO]
# C o n v i t R C # < # > [SISTEMA OPERACIONAL] < # > [NOME DA MÁQUINA] < # > N a o < # > [CIDADE E PAÍS]
# S o c k e t M a i n # < # > [NÚMERO] # U p l o a d F i l e # # O N - L I N E #
# s t r P i n g O k # # R E C E B E N D O # < # > U S E R - P C
# s t r P i n g O k # # P L U G I N # < # > N a o # C O M P L E T O U # < # > U S E R - P C
No antivirus
#strPingOk#
#strCmd#
Persistence:
HKEY_CURRENT_USERSOFTWAREMICROSOFT\WINDOWS\CURRENTVERSION\RUN
IOCs (income tax)
root@ipos6.notasfrias.]org (20.114.251.]33)
ip-92-205-18-61.ip.]secureserver.]net/.idrec/?hash=
value refund-irf.canadaeast].cloudapp.azure.com
hxxp://isfactorytox.]duckdns.]org/gg/gmptx secffnb.westcentralus[.cloudapp.azure.com/gamermix/play.php
Configs
abcadvogados.]com/g/WWA tmjdrinks.]com/geo/drinks.txt
C2: 20.]226.]99.72:59613
Emulations and Analyses
https://tria.ge/220427-smn83se
References
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://rvsec0n.wordpress.com/2020/02/22/msi-malware-analysis/
https://twitter.com/dodo_sec/status/1513920321707024386
https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe
https://app.any.run/tasks/77d32721-dcf5-4e79-b04d-e26b0b54a935