If you thought using BAT files was an old hat, think again. While monitoring our Secure Email Gateway Cloud service, we came across several suspect spam emails targeting Brazilian users. The figure below shows email details to trick and entice users to open the attachment.
The word "paulistano" is used for 'things that belong, or are coming from, São Paulo' thus making it more appealing to unsuspecting users.
Here is the English Translation:
Subject: Attached is São Paulo's fiscal note, N – 7632630091
Body:
Attached is the invoice of the provision of services
Regards Josa Martins
Phone (11) 99876-6625
Attachment: Nota Fiscal - Pauline City Hall.zip
The attached ZIP file holds a batch file which is intentionally UTF-16 encoded. When opened on a text editor it shows some traditional Chinese characters.
A byte order mark (BOM) of 0xFEFF is placed at the start of the file (signifies start of a Unicode text stream) that effectively hides the batch codes. However, here's how it looks in a hex-editor:
Analyzing the batch file uncovers the following behavior:
- Initially creates a directory on C:\{random_directory_name}
- Using PowerShell commands, it downloads a PowerShell Script and the PShellExec.exe.
- By using the PShellExe.exe, it will first encrypt the downloaded PowerShell script, delete the original one and runs the encrypted script.
- Lastly, it will create a VBScript that allows for the execution of the encrypted PowerShell script. For persistence it will create a symbolic link in the STARTUP Folder.
Analyzing the PowerShell Script:
As an initial impression, the script appears to use an existing PowerShell Script written by Matthew Graeber. It is also known as the PowerSyringe, a PowerShell-based Code/DLL Injection module. The threat actors basically append some of the following code:
- Generates random characters to be used to create directories.
- Checks the OS version if 32bit or 64bit and downloads the corresponding DLL.
Decoded Base64 Links:
hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.64.dll
hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.dll
- Using the PowerSyringe Module, it injects the DLL to svchost.exe
Injected DLL – The MultiBanker Trojan
Once the DLL is properly injected to svchost.exe it starts to monitor the user's activity to see if they try to access Brazilian banks. Once a user visits the online banking sites, it will overlay the screen with a fake form that enable the attackers to retrieve the user's PIN codes.
Here are the following banks and the fake forms that are used to overlay the screen:
- Banrisul
- Itaú Unibanco
- Banco do Nordeste
- Banco Santander
- Sicoob
- Sicredi
Indicators of Compromise:
Nota-Fiscal - Prefeitura Paulistana.bat - attached from an email
MD5: 70EA097616DFC8D4AE8B8AD4BDB1CD96
SHA1: E830EC9F194BF72740D9AB62B633E0862E18A143
Ma{username}.vbs - created by batch file
MD5: 7FDD656E476FC4AEFF19609FD14FB070
SHA1: 451515709EEE19D680A622753CB6802056ED84A5
1.ps1 - downloaded
MD5: BA0239533DD7F85CB0D1DF58FC129222
SHA1: 7366B78713808D4A23C9FC8B141D1DF1C2FB1FED
{random}.ps1.bin - encoded 1.ps1
MD5: BAFAEBF21A288826525BA0703EFC384B
SHA1: A4049F8FE337D148B25DD60AA7F1BF9E783538DD
PShellExec.exe - downloaded
MD5: B34B92270968DB55AB07633C11AD0883
SHA1: EF2AB66243F385559792ED6360D4A5C0D435C328
Arquiteto.64.dll - downloaded - for x64 machines
MD5: ED053046882301A893DDA1171D62DD50
SHA1: 0A1731A6D594C908866A9A317DE9AAA1BADD3AB1
Arquiteto.dll - downloaded - for x86 machines
MD5: E94EA2673908D605F08C6A6D666DC97E
SHA1: 836C0521DF76EDF48447CA1218DFBF3725010F51
