## Demystifying banking trojans from Latin America ###### Juraj Horňák | Malware analyst Jakub Souček | Malware analyst ----- ##### Before we begin … ----- # What sets LATAM banking trojans apart? ----- ##### Characteristics ### • Delphi • Backdoor commands • Targets Spanish- or Portugese-speaking countries • Abusing legitimate tools and software • Looong distribution chains • Multiple components ----- ##### … and also ### • Payload(s) usually come in ZIP archives • Generally unknown crypto algorithms • One URL used to submit victim information • Fake pop-up windows + social engineering ----- ----- ----- ##### Problem ### • The banking trojans are very similar • Generic detection names ##### • Win32/Spy.Banker.XXXX • Trojan-Banker.Win32.Generic • Trojan:Win32/Banbra ### • Analysis required to identify malware families ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- #### • Binaries • Distribution chains • Network • OPSEC • Easter eggs & human error • Similarities ----- # Strings ----- ##### Strings useful for identifying malware families #### • Synchronization object names (mutex) • Format of web requests ###### • User-Agent • Query arguments #### • Names of commands • Debug messages ----- # Strings obfuscation & encryption ----- ##### String concatenation ----- ##### String tables ----- |Malware family|TripleKey|BookDecrypt|XOR_FF|KeySub|BigAlpha|Division|Known crypto algorithm| |---|---|---|---|---|---|---|---| |Amavaldo|||||||| |Casbaneiro|||||||| |Grandoreiro|||||||| |Guildma|||||||| |Krachulka|||||||| |Lokorrito|||||||| |Mispadu|||||||| |Numando|||||||| |Mekotio|||||||| |Vadokrist|||||||| |Zumanek|||||||| ##### Cryptographic algorithms overview ###### Known crypto Malware family TripleKey BookDecrypt XOR_FF KeySub BigAlpha Division algorithm Amavaldo  Casbaneiro    Grandoreiro   Guildma   Krachulka  Lokorrito  Mispadu  Numando   Mekotio  Vadokrist    Zumanek  ----- |Malware family|TripleKey|BookDecrypt|XOR_FF|KeySub|BigAlpha|Division|Known crypto algorithm| |---|---|---|---|---|---|---|---| |Amavaldo|||||||| |Casbaneiro|||||||| |Grandoreiro|||||||| |Guildma|||||||| |Krachulka|||||||| |Lokorrito|||||||| |Mispadu|||||||| |Numando|||||||| |Mekotio|||||||| |Vadokrist|||||||| |Zumanek|||||||| ##### Cryptographic algorithms overview ###### Known crypto Malware family TripleKey BookDecrypt XOR_FF KeySub BigAlpha Division algorithm Amavaldo  Casbaneiro    Grandoreiro   Guildma   Krachulka  Lokorrito  Mispadu  Numando   Mekotio  Vadokrist    Zumanek  ----- # Extremely large binaries ----- ##### Overview ### • Simple, yet effective • Binary included in ZIP archive • Compression: 350 MB -> 15 MB • Hard to work with such files ##### • Upload • Automated processing ### • MITRE ATT&CK: Binary padding ----- ##### Bytes in overlay ### • Easy to remove • Original MZ remains intact • Casbaneiro, Mekotio ----- ##### Bytes in overlay ### • Hard to remove • Complicated if original MZ should be kept valid • Grandoreiro ----- # Following the distribution chains ----- ##### Reason 1: Data #### • Receiving 300+ MB • Early detection  chain large binaries? Unlikely is broken  no payload information ----- ##### Reason 2: Context ### • Configuration files • Injectors • Data passed between distribution chain stages ----- ##### Reason 2: Context ### • Configuration files • Injectors • Data passed between distribution chain stages ----- ##### Reason 2: Context ### • Configuration files • Injectors • Data passed between distribution chain stages ----- ##### Reason 3: Knowledge ### • Way of execution • Script obfuscation • Persistence method • Function and variable names • Open directories • Payload names • Web requests format ##### • User-agent • POST data ----- ----- ----- ----- ----- # Do you C what I C? ----- ##### Encrypted, hardcoded ### • Key ##### • Hardcoded ### • Domain ##### • Hardcoded • Encrypted ### • Port ##### • Hardcoded ----- ##### Embedded in a remote document (v1) ### • Key ##### • Hardcoded ### • Domain ##### • Encrypted • Stored between “!” ### • Port ##### • Hardcoded ----- ##### Embedded in a remote document (v2) ### • Key ##### • Hardcoded ### • Domain ##### • Encrypted • Stored (“sundski”) ### • Port ##### • Stored (“thedoor”) ----- ##### Embedded in a crafted website ### • Key ##### • Part of data ### • Domain ##### • Encrypted • Stored (“”) ### • Port ##### • Hardcoded ----- ##### Embedded in a crafted website ### • Key ##### • Part of data ### • Domain ##### • Encrypted • Stored (“”) ### • Port ##### • Hardcoded ----- ##### Embedded in a legitimate website ### • Key ##### • Part of data ### • Domain ##### • Encrypted • Stored (fake link) ### • Port ##### • Hardcoded ----- ##### Embedded in a legitimate website ### • Key ##### • Part of data ### • Domain ##### • Encrypted • Stored (fake link) ### • Port ##### • Hardcoded ----- ##### Generated using a fake DNS entry ### • Inputs ##### • Base domain (“abc.de.xyz) • List of suffixes ([“1”,”2”,”3”]) • Number (10) ----- ##### Generated using a fake DNS entry ### 1. Take base domain abc.de.xyz ----- ##### Generated using a fake DNS entry ### 1. Take base domain abc1.de.xyz 2. Modify it by suffix ----- ##### Generated using a fake DNS entry ### 1. Take base domain 127.0.0.1 2. Modify it by suffix 3. Resolve it to an IP ----- ##### Generated using a fake DNS entry ### 1. Take base domain 0x7F000001 2. Modify it by suffix 3. Resolve it to an IP 4. Convert to number ----- ##### Generated using a fake DNS entry ### 1. Take base domain 0x7F000001 + 0xA 2. Modify it by suffix = 0x7F00000B 3. Resolve it to an IP 4. Convert to number 5. Add the number ----- ##### Generated using a fake DNS entry ### 1. Take base domain 127.0.0.11 2. Modify it by suffix 3. Resolve it to an IP 4. Convert to number 5. Add the number 6. Convert to IP ----- ##### Generated using a fake DNS entry (for port) ### 1. Take base domain (127+0+0+11) * 7 = 2. Modify it by suffix 138 * 7 = 3. Resolve it to an IP 966 4. Convert to number 5. Add the number 6. Convert to IP 7. Sum octets * 7 ----- # C&C communication ----- ##### C&C communication ### • Clients do not ask server for commands • They connect, stay connected and wait • When the server sends a command, they react ----- ##### C&C communication ### • Example: the Grandoreiro family • Like a chat room • How it works: ##### • Perform handshake • Periodically receive commands • The first one is … ----- ##### C&C communication ----- ##### C&C communication ### • … a list of all connected victims ##### • PC name • MAC address • Installed / running banking application(s) • Protection software (Trusteer / Warsaw GAS Tecnologia) • Windows version • Banking trojan version ----- # OPSEC ----- ##### Open directory ### • Victim information • New versions • Related malware • C&C panel ----- ##### Victim information (Mekotio) ### • PC name • IP address • Banking trojan version • Windows version • AV installed • Timestamp ----- ##### New versions (Zumanek) ----- ##### New versions (Zumanek) ----- ##### New versions (Zumanek) ----- ##### Control panel (Casbaneiro) ----- ##### Control panel (Casbaneiro) ----- ##### Control panel (Casbaneiro) ----- # Easter eggs ----- ##### Server-side requests checking ----- ##### Payload archives content ----- ##### Payload archives content ----- ##### Payload archives content ----- ##### Payload archives content ----- # Human error ----- ##### Don t forget to … ----- ##### Careful with that DGA ### • Grandoreiro • C&C domain obtained by DGA • Input: alphabet dependant on hour of day ----- ##### Careful with that DGA ### • 10:00 PM • Night hours • C&C “offline” ----- ##### Careful with that DGA ### • 03:00 AM • First phase begins • Use alphabet 1 ----- ##### Careful with that DGA ### • 08:00 AM • Transition • Use alphabet 2 ----- ##### Careful with that DGA ### • 01:00 PM • Transition • Use alphabet 3 ----- ##### Careful with that DGA ### • 09:00 PM • Transition… ----- ##### Careful with that DGA ### • 09:00 PM • Transition… ----- ##### Careful with that DGA ### • 09:00 PM • Transition… • Malware crashes  ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka String table Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka HTTP query Mekotio Lokorrito parameters ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Crypto algorithm Mekotio Lokorrito (BookDecrypt) ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Crypto algorithm Mekotio Lokorrito (BigAlpha) ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Crypto algorithm Mekotio Lokorrito (TripleKey) ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Response decryption Mekotio Lokorrito algorithm (XOR_FF) ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Delphi Mekotio Lokorrito downloader ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Delphi Mekotio Lokorrito downloader ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Delphi Mekotio Lokorrito downloader ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Injector technique + Mekotio Lokorrito mutex name ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka VBS Mekotio Lokorrito downloader ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka “Zipada” Mekotio Lokorrito variable name ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka „Windows Activator“ Mekotio Lokorrito downloader ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka PowerShell obfuscation Mekotio Lokorrito method ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka BAT obfuscation Mekotio Lokorrito method ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka JavaScript obfuscation Mekotio Lokorrito method ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka „BAT to VBS“ obfuscation Mekotio Lokorrito method ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka HTTP verb Mekotio Lokorrito („111SA“) ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Payload name and content Mekotio Lokorrito (md.zip) ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ###### Zumanek Grandoreiro Vadokrist Guildma Mispadu Krachulka Mekotio Lokorrito ----- ### Jakub Souček Juraj Horňák ###### Malware Analyst Malware Analyst jakub.soucek@eset.cz juraj.hornak@eset.cz -----