Amongst the ransomware plague, Banking Trojans are still alive. ElevenPaths has analyzed N40, which is an evolving malware that is quite interesting, in relation to the way it tries to bypass detection systems. The trojan is, in some ways, a classical Brazilian banking malware that steals credentials from several Chilean banks, but what makes it even more interesting are some of the features it includes, which are not that common in this kind of malware.
DLL hijacking has been known for years now. Basically it consists of a program which does not check the path properly of where the DLLs is loaded from. This would allow an attacker which has the ability to replace or plant a new DLL in some of these paths, to then execute arbitrary code when the legitimate program is launched. This is a known problem and used technique, yet we are aware that not all of the DLL hijacking problems are equally as serious as each other. Some problems are mitigated by the different ways and search order in which DLLs are loaded, the way in which the permissions are set where the executable file lies, etc. This malware is aware of this, and it has turned “less serious DLL hijacking problems” into an advantage for the attackers to avoid detection systems and, in turn, a powerful tool for malware developers. This will probably force a lot of developers to check again the way in which they load DLL from the system, if they do not want to be used as a “malware launcher”.
|Some of the DLL that may be used for DLL hijacking|
What makes this malware really remarkable, is that it consists of two different stages.
- The downloader (first stage) downloads a copy of a legitimate program with a DLL Hijacking problem from a server. It is the original, signed, legitimate executable file, so it will not raise any alerts.
- Then it downloads the malware (second stage) in the same directory; this is a DLL which is signed with certificates sold in the black market. These certificates contain the name of “young” real British companies, but most likely these certificates are not stolen, just created “borrowing” real names from public sources from companies’ info.
In this case, the malware abuses a DLL hijacking problem in VMnat.exe, which is an independent program that comes with several VMware software packages. VMnat.exe (like many other programs) tries to load a system DLL called shfolder.dll (it specifically needs the SHGetFolderPathw function from it). It firstly tries to load it from the same path in which VMnat.exe is called; if it is not found, it will check in the system folder. What the malware does is it places both, the legitimate VMnat.exe and a malicious file renamed shfolder.dll (which is the malware itself signed with a certificate) in the same folder. VMnat.exe is then launched by the “first stage malware”, which first finds the malicious sfhfolder.dll and then loads it into its memory. The system is now infected, but what SmartScreen perceives is that something has executed a reputable file.
Through this innovative movement the attacker can:
- Bypass antivirus signatures easily; but they cannot bypass the endpoint security (heuristics, hooking) as much. Launching vmware.exe is indeed less suspicious, and malware gets in by this way, through some kind of “second stage” execution that is less noisy within the system.
- SmartScreen is based upon reputation, and hard for attackers to bypass. That is why executing a legitimate executable file like VMware.exe and loading a signed DLL (which is malware, in turn) makes it much harder for SmartScreen to detect.
More interesting features
This malware, of course, uses some other interesting (but previously known) techniques. It is strongly prepared to bypass static signatures (at least temporarily) and uses “real time string decoding”. When it is launched, it keeps every single encrypted string in its memory, and only decrypts it when strictly necessary. This allows them to hide even when the raw memory is dumped by an analyst or sandbox.
Clipboard cryptohijacking is an interesting attack vector as well. The malware is continuously checking the victim’s clipboard. If a bitcoin wallet is detected, it quickly replaces it with this wallet 1CMGiEZ7shf179HzXBq5KKWVG3BzKMKQgS. When the victim wants to make a bitcoin transfer, he or she will usually copy and paste the destination address if it is switched “on the fly” by the malware, the attacker expects that the user will unwittingly trust in the clipboard action and confirm the transaction to his own wallet. This is a new bitcoin stealing technique that is starting to become a trend. In this bitcoin address, we have seen 20 bitcoins in the past, some of these funds have been transferred directly to another bitcoin address (supposedly owned by the creators) with 80 bitcoins. This means that the attackers have a lot of resources and success.
|Wallet in malware sends the bitcoins to this other wallet, with 80 bitcoins|
This malware comes from Brazil, but targets most of popular Chilean banks. It uses previously unknown weaknesses within known software in order to bypass some detection techniques; it is an interesting step forward in the way malware is executed in the victim’s computer. VMware has been alerted about this and has quickly improved its security. Yet, this is not a specific VMware problem, any other reputable program with any DLL hijacking weaknesses, which there are many of, may be used as a “malware launcher”. This gives a lot of space for malware makers to use legitimate and signed malware as a less noisy execution technique..
It uses many other cutting edge techniques such as the clipboard cryptohijacking, communicating with command and control over nonstandard ports which rely on dynamic DNS systems and decrypting memory strings only when it is strictly necessary, etc. All of this makes it a very interesting piece of malware for taking into account how attackers are evolving to avoid detection; even a step ahead of the Russian school who are traditionally more “innovative” within the malware field.
In a nutshell: This is an interesting evolution of Brazilian malware that contains very advanced technique (aside from the usuals not mentioned but which are standard in current malware) against the analysts, antiviruses and effectives against bank entities. Main points are:
- The ability to keep itself under the radar:
- Using a previously unknown problem in popular software to be launched.
- Avoiding being launched if “uncomfortable” software is found in the victim.
- Analyzing antivirus software in the victim for its own statistics.
- Ciphering and deciphering strings in memory on the fly.
- Using not standard communications channels.
- Signing binaries.
- The ability to hinder analysis:
- Packing the software.
- Complex routines and obfuscated strings.
- Leaving part of the logic in the server side..
- Attack vector:
- Clipboard criptohijacking.
- “Traditional” banking trojan.
- “Traditional” RAT.
In the following report you may find more information and IOCs about this threat, with specific IOCs.
in Chile and España