{
	"id": "166c6e68-44a9-40a1-a0dc-29524b5267b7",
	"created_at": "2026-04-06T00:08:55.208183Z",
	"updated_at": "2026-04-10T03:22:11.919616Z",
	"deleted_at": null,
	"sha1_hash": "c8d7d29d72469d834d2adaa6670cfbd0be573a1f",
	"title": "Casbaneiro: Dangerous cooking with a secret ingredient",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1793085,
	"plain_text": "Casbaneiro: Dangerous cooking with a secret ingredient\r\nBy ESET Research\r\nArchived: 2026-04-05 22:32:10 UTC\r\nMost reverse engineers would agree that quite often one can learn something new on the job. However, it is not every\r\nday you learn how to cook a delicious meal while analyzing malware. This unique experience is provided by a malware\r\nfamily we discuss in this blog post – Casbaneiro.\r\nCharacteristics\r\nCasbaneiro, also known as Metamorfo, is a typical Latin American banking trojan that targets banks and\r\ncryptocurrency services in Brazil and Mexico (Figure 1). It uses the social engineering method described in the\r\nintroduction to our previous article, where fake pop-up windows are displayed. These pop-ups try to persuade potential\r\nvictims to enter sensitive information; if successful, that information is then stolen.\r\nFigure 1. Countries affected by Casbaneiro\r\nThe backdoor capabilities of this malware are typical of Latin American banking trojans. It can take screenshots and\r\nsend them to its C\u0026C server, simulate mouse and keyboard actions and capture keystrokes, download and install\r\nupdates to itself, restrict access to various websites, and download and execute other executables.\r\nCasbaneiro collects the following information about its victims:\r\nList of installed antivirus products\r\nOS version\r\nUsername\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 1 of 19\n\nComputer name\r\nWhether any of the following software is installed:\r\nDiebold Warsaw GAS Tecnologia (an application to protect access to online banking)\r\nTrusteer\r\nSeveral Latin American banking applications\r\nAlthough there seem to be at least four different variants of this malware, the core of all of them is almost identical to\r\nthe code in this GitHub repository. However, it is practically impossible to separate them from each other, mainly\r\nbecause some variants using different versioning use the same string decryption key, and the same mechanisms are\r\nused in different variants.\r\nMoreover, the differences are not important from the functionality point of view. Therefore, we will refer to all these\r\nvariants as Casbaneiro.\r\nCasbaneiro is easy to identify by its use of a huge string table, with several hundred entries. Strings are retrieved by\r\naccessing this table by index. Curiously, whenever the malware needs to obtain a string, the whole string table is\r\nconstructed in memory from stored chunks of encrypted text, the desired string is decrypted and the whole table is\r\ndiscarded again. You can see an example in Figure 2.\r\nFigure 2. Casbaneiro obtaining a string by index (0x205) and decrypting it\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 2 of 19\n\nThere are strong indicators that this malware family is closely connected to Amavaldo, which we described in our first\r\npost in this series about Latin American banking trojans. We will mention these similarities later in this article.\r\nHijacking clipboard data\r\nCasbaneiro can also try to steal victim’s cryptocurrency. It does so by monitoring the content of the clipboard and if the\r\ndata seem to be a cryptocurrency wallet, it replaces them with the attacker’s own. This technique is not new; it has\r\nbeen used by other malware in the past – even the infamous BackSwap banking trojan implemented it in its earliest\r\nstages.\r\nThe attacker’s wallet is hardcoded in the binary and we have encountered only one. By examining it, we can see\r\npayments were already made at the time of writing.\r\nFigure 3. Detail of the attacker's bitcoin wallet\r\nCryptography\r\nCasbaneiro utilizes several cryptographic algorithms, each one to protect a different type of data. We describe them in\r\nthe following sections.\r\nCommand encryption\r\nCommands received from the C\u0026C server are encrypted using AES-256. The SynCrypto Delphi library is used. The\r\nAES key is derived via SHA-256 from a password stored in the binary. It is not stored as a string but concatenated\r\nfrom separate pieces at runtime, as you can see in Figure 4.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 3 of 19\n\nFigure 4. Constructing the password \"ze102030ca” used to derive the AES key\r\nString encryption\r\nThe algorithm used to encrypt strings, comes from this book and is used in other Latin American banking trojans as\r\nwell. Pseudocode of the decryption algorithm can be seen in Figure 5. The same key is used for all strings. Similar to\r\nthe command encryption, the key is again concatenated from parts at runtime, only this time it consists of many more\r\nparts (see Figure 6). Notice how whitespace strings are added as well, but trimmed later on, therefore having no\r\nimpact.\r\ndef decrypt_string(data_enc, key):\r\ndata_dec = str()\r\ndata_enc = unhexlify(data_enc)\r\nprev = data_enc[0]\r\nfor i, c in enumerate(data_enc[1:]):\r\nx = c ^ key[i % len(key)]\r\nif x \u003c prev:\r\nx = x + 255 - prev\r\nelse:\r\nx -= prev\r\nprev = c\r\ndata_dec += chr(x)\r\nreturn data_dec\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 4 of 19\n\nFigure 5. String decryption pseudocode\r\nFigure 6. Part of code that concatenates the string decryption key shown in Figure 5. The valid key parts are marked\r\nred. The obfuscation by whitespace strings is marked purple.\r\nPayload encryption\r\nIn some Casbaneiro campaigns, the actual banking trojan is encrypted and associated with an injector. The algorithm\r\nused to decrypt the main payload binary in such cases is exactly the same as the Amavaldo injector uses. Pseudocode is\r\nfound in Figure 7.\r\nRemote configuration data encryption\r\nFinally, a fourth algorithm is used to decrypt configuration data not stored in the binary file but obtained remotely. We\r\nprovide examples of such situations below.\r\nYou can clearly see in Figures 7 and 8 that this and the payload decryption algorithms are almost identical, only one\r\nuses plaintext and the other one ciphertext to update the key. We strongly suspect that the author rewrote the code by\r\nhand from the same source and made a mistake in one of the cases.\r\ndef decrypt_payload(data_enc, key1, key2, key3):\r\ndata_dec = str()\r\nfor c in data_enc:\r\nx = data_enc[i] ^ (k3 \u003e\u003e 8) \u0026 0xFF\r\ndata_dec += chr(x)\r\nkey3 = ((x + key3) \u0026 0xFF) * key1 + key2\r\nreturn data_dec\r\nFigure 7. Payload decryption algorithm\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 5 of 19\n\ndef decrypt_remote_data(data_enc, key1, key2, key3):\r\ndata_dec = str()\r\nfor c in data_enc:\r\nx = data_enc[i] ^ (k3 \u003e\u003e 8) \u0026 0xFF\r\ndata_dec += chr(x)\r\nkey3 = ((data_enc[i] + key3) \u0026 0xFFFF) * key1 + key2\r\nreturn data_dec\r\nFigure 8. Remote data decryption algorithm\r\nDistribution\r\nWe believe that a malicious email is usually at the beginning of Casbaneiro distribution chains. Some campaigns were\r\ndescribed by FireEye, Cisco and enSilo. If you have read our previous article, you may notice that the campaign\r\ndescribed by Cisco uses a PowerShell script very similar to the one utilized by Amavaldo. Even though some parts\r\ndiffer, both scripts clearly come from a common source and use the same obfuscation methods.\r\nWhile writing this article, we noticed a new campaign using a similar technique to the one described by enSilo, with\r\nonly a few changes. The Avast executable is no longer abused and the main payload, jesus.dmp, is no longer encrypted\r\nand therefore not associated with an injector. Finally, the installation folder has been changed to\r\n%APPDATA%\\Sun\\Javar\\%RANDOM%\\. Since this most recent Casbaneiro campaign uses the bit.ly URL shortener,\r\nwe can learn more about it from Figure 9.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 6 of 19\n\nFigure 9. bit.ly statistics for the latest Casbaneiro campaign\r\nBesides that, we identified two other, earlier campaigns during our research.\r\nCampaign 1: Fishy financial manager update\r\nIn this campaign, the victim is persuaded to download and install what may seem to be a legitimate update of financial\r\nsoftware (see Figure 10). Instead of that, the installer:\r\ndownloads an archive containing:\r\nCasbaneiro masquerading as Spotify.exe\r\nother legitimate DLLs\r\nextracts the content of the archive to %APPDATA%\\Spotify\\\r\nsets up persistence using\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, Spotify = %APPDATA%\\Spotify\\Spotify.exe\r\nWe have also encountered cases where the payload masquerades as OneDrive or WhatsApp. In those cases, the name\r\nof the folder is changed accordingly.\r\nFigure 10. Fake update installer. (Translation: Title: Wait.. Updating Financial Manager [BB]. Text: Please wait for\r\nWindows configuration to be done.. Updating Financial Manager [BB]. Gathering necessary information.)\r\nCampaign 2: What’s cooking? A fowl Windows activator\r\nThis campaign is very similar to the one described by enSilo; it uses an MSI installer with an embedded JavaScript\r\ndownloader. Only this time, the installer comes bundled together with the Re‑Loader cracking tool allowing unofficial\r\nactivation of Windows or Microsoft Office. When executed, Casbaneiro is secretly downloaded and executed first,\r\nfollowed by Re‑Loader.\r\nThe attacker used this approach when the expected software is actually installed together with the malware. This\r\nmethod is not very common for Latin American banking trojans. It is more dangerous to the intended victims, because\r\nit may give them less reason to suspect anything has gone wrong.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 7 of 19\n\nFigure 11. The Re-Loader cracking tool installed together with Casbaneiro\r\nDo you C what I C?\r\nThe operators have gone to great lengths to hide the actual C\u0026C server domain and port, and it is one of the most\r\ninteresting Casbaneiro features. Let’s explore where the C\u0026C servers have been hidden…\r\n1) Stored encrypted in the binary\r\nEncryption is definitely the simplest method to hide the C\u0026C server. The domain is encrypted with a hardcoded key\r\nand the port is just hardcoded. We have encountered cases where the port has been stored in the data section, in the\r\nDelphi form data, or randomly chosen from a range.\r\n2) Embedded in a document\r\nA more advanced method is to store the data somewhere online, in this case on Google Docs. One way Casbaneiro uses\r\nthis method can be seen in Figure 12, where the document is full of junk text. The encrypted domain is hexadecimal\r\nencoded and then stored between “!” delimiters. The encryption used is that used for all other strings, and the port is\r\nhardcoded in the binary.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 8 of 19\n\nFigure 12. C\u0026C server domain (highlighted red) encrypted and hexadecimal encoded, hidden inside an online\r\ndocument\r\nAnother way this method is used involves multiple delimiters. An example can be seen in Figure 13, where different\r\ndelimiters are used for the C\u0026C port, C\u0026C domain and the URL used to submit victim information. Initially, this\r\nmethod was used to store only the port; the other configuration data were added in later variants.\r\nFigure 13. C\u0026C server port (“thedoor”), domain (“sundski”) and the victim information submission URL (“contict”)\r\nencrypted and stored in an online document\r\n3) Embedded in a crafted website\r\nIn this approach, the operators set up a fake website (Figure 14) mimicking this legitimate one showing the current\r\ntime in Brazil. The real C\u0026C domain is hidden inside the web page’s metadata, as can be seen in Figure 15, and the\r\nport is hardcoded in the binary. We have encountered at least three such identical websites with different URLs.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 9 of 19\n\nFigure 14. Website created by the attacker mimicking a legitimate one. (Partial translation: Brazilian time schedule.\r\nSet your watch with time schedule in Brazil, Brazil’s official time.)\r\nFigure 15. Comparison of metadata of the legitimate (left) and fake (right) websites. The google-site-verification tag\r\nholds the encrypted C\u0026C domain.\r\nAn important difference from the previous method is that the data are encrypted in a different way than all other\r\nstrings, using the algorithm to decrypt remote configuration data described earlier. The three keys required are the first\r\n12 bytes of the string, each taking 4 bytes.\r\n4) Embedded in a legitimate website\r\nIf you have been wondering where the title of this blog post comes from, this section is for you!\r\nCasbaneiro started to abuse YouTube to store its C\u0026C server domains. We have identified two different accounts used\r\nfor this by the threat actor – one focused on cooking recipes and the other one on soccer.\r\nSo where is the C\u0026C server hidden? Each video on these channels contains a description. At the end of this\r\ndescription, there is a link to a bogus Facebook or Instagram URL (see Figure 17). The C\u0026C server domain is stored in\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 10 of 19\n\nthis link, using the same encryption scheme as in the previous case – the key is stored at the beginning of the encrypted\r\ndata. The port is, once again, hardcoded in the binary.\r\nFigure 16. One of the YouTube channels used by the attacker\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 11 of 19\n\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 12 of 19\n\nFigure 17. Description of one of the videos the attacker posted. At the bottom, the encrypted C\u0026C domain is embedded\r\nin a bogus Facebook link (red).\r\nWhat makes this technique dangerous is that it does not raise much suspicion without context. Connecting to YouTube\r\nis not considered unusual and even if the video is examined, the link at the end of the video description may easily go\r\nunnoticed.\r\n5) Generated using a fake DNS entry\r\nThe general idea of this method is to register a domain and associate it with a fake IP address so that the real IP address\r\ncan be derived from it. The algorithm uses three input values:\r\n1. A base domain (B) - a domain used to derive other domains\r\n2. A list of suffixes (LS) - a list of strings that will be used to derive other domains from the base domain B\r\n3. A number (N) - a number used to transform a fake IP address to the real one\r\nA different base domain is used for C\u0026C domain and port. We provide pseudocode in Figure 18. The basic logic of the\r\nalgorithm is:\r\n1. Generate a domain from the base domain B and resolve it to a fake IP address (FIP)\r\n2. Add a number N to the fake IP address FIP to get the real IP address\r\n3. To get the port, sum the octets of the real IP address and multiply by 7\r\ndef get_real_ip(base_domain, suffix, n):\r\nitems = base_domain.split(\".\", 1)\r\nitems[0] += suffix\r\ngenerated_domain = '.'.join(items)\r\nif is_registered(generated_domain):\r\nfake_ip = resolve(generated_domain)\r\nreturn fake_ip + n\r\nelse:\r\nreturn 0\r\ndef get_real_domain(base_domain, strings_list, n):\r\n# First, try to resolve the base domain without suffix\r\nreal_ip = get_real_ip(base_domain, \"\", n)\r\nif not real_ip:\r\n# If that fails, try the suffixes one by one\r\nfor suffix in string_list:\r\nreal_ip = get_real_ip(base_domain, suffix, n)\r\nif real_ip:\r\nbreak\r\nreturn real_ip\r\ndef get_real_port(base_domain, strings_list, n):\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 13 of 19\n\n# Do all the steps as when getting the domain\r\nip = get_real_domain(base_domain, strings_list, n)\r\n# Get the octets of the ip, sum them and multiply by 7\r\noctets = str(ip).split('.')\r\nreturn sum(octets) * 7\r\nFigure 18. Pseudocode of the algorithm used to generate C\u0026C domain and port using a fake DNS entry\r\nDownload \u0026 Execute functionality\r\nMost of the Latin American banking trojans, including Casbaneiro, have a way to download and execute other\r\nexecutables, usually via a backdoor command. However, Casbaneiro employs a different implementation of this\r\nfunctionality. We initially thought of it as an update mechanism because newer versions of the banking trojan were\r\ndistributed by it but, as we found out later, not exclusively. Two different mechanisms are used; let’s explore them.\r\nVia XML document\r\nOne way that this functionality is used is by downloading an XML document. Data stored in this document between\r\nthe \u003cxmlUpdate\u003e## and ##\u003c/xmlUpdate\u003e labels are encrypted using the algorithm for remote data provided in Figure\r\n8.\r\nOnce decrypted, the data may contain the following tags:\r\n\u003cnewdns\u003e – new C\u0026C server domain\r\n\u003cnewport\u003e – new C\u0026C server port\r\n\u003cdownexec\u003e – a URL to use to download and execute a file\r\nVia special configuration file\r\nWe believe this approach is used in (probably a subset of) Casbaneiro samples that are being sold to other\r\ncybercriminals. In this method, a configuration file is downloaded (as shown in Figure 19). It consists of multiple lines,\r\neach one containing:\r\nAn ID of the buyer\r\nPayload archive filename\r\nMain URL where the archive is located\r\nBackup URL where the archive is located\r\nVersion (not used)\r\nA number (not used)\r\nDate (not used)\r\nThe latter three values seem to be ignored completely. The date “07/05/2018”, for example, is used even in the newest\r\nconfiguration files at the time of writing.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 14 of 19\n\nFigure 19. Configuration file obtained by Casbaneiro\r\nEach Casbaneiro sample using this method has the buyer’s ID hardcoded in its data. When it downloads such\r\nconfiguration file, it parses it and finds the line that is intended for the specific buyer’s ID and downloads and executes\r\nthe payload.\r\nAs you can see in Figure 19, the payload is mostly the same for all the buyers. However, we have encountered a\r\nsituation where a sample downloaded such a configuration file and its buyer’s ID was not present. This way of\r\ndistributing additional payloads gives the “main author” (probably the seller) the ability to exclude some buyers.\r\nBesides Casbaneiro updates, we have seen two more payloads being distributed by this method, which are covered in\r\nthe next two sections.\r\nEmail tool\r\nA tool written in C# automatically registers a large number of new email accounts using the Brasil Online (BOL) email\r\nplatform and sends the credentials back to the attacker. If you have read our previous article, this may seem very\r\nfamiliar to you. That is because, as far as functionality goes, this tool does exactly the same thing. It is also a variant of\r\nthe spam tool described by Cisco.\r\nPassword stealer\r\nAnother payload we have seen being distributed by this functionality is a very simple Outlook password stealer. This\r\nmalware, once executed, first displays a message box stating, in Portuguese, there is an issue with the victim’s Outlook\r\naccount. After that, it displays a fake Microsoft login page requesting Outlook credentials.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 15 of 19\n\nFigure 20. Message box displayed by the password stealer. (Translation: Dear client, we have detected a problem with\r\nyour Outlook account. Please check your account and avoid permanent blockage!)\r\nFigure 21. Window displayed by the password stealer that tries to obtain the victim's Outlook credentials. (Translation:\r\nMicrosoft free personal email recover account. Begin session. Login, Password. Next)\r\nConclusion\r\nIn this article, we talked about Casbaneiro, another Latin American banking trojan. We have shown that it shares the\r\ncommon characteristics for this type of malware, such as using fake pop-up windows and containing backdoor\r\nfunctionality. In some campaigns, it splits its functionality into an injector and the actual banking trojan. It also\r\nmasquerades as a legitimate application in most of the campaigns and targets Brazil and Mexico.\r\nWe have also shown strong indicators leading us to believe that Casbaneiro is closely related to Amavaldo. Both pieces\r\nof malware use the same, uncommon cryptographic algorithm in the injector component, they have used a very similar\r\nPowerShell script in one of their campaigns and they have been seen distributing a very similar email tool.\r\nWe have described various techniques Casbaneiro employs in order to hide its C\u0026C server address. These include\r\nusing remotely stored documents, both legitimate and fake websites and fake DNS entries.\r\nFinally, we have described two techniques used by Casbaneiro to update itself or download and execute additional\r\npayloads.\r\nFor any inquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found on our GitHub.\r\nIndicators of Compromise (IoCs)\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 16 of 19\n\nHashes\r\nCampaign 1: Fishy financial manager update\r\nSHA-1 Description ESET detection name\r\nF07932D8A36F3E36F2552DADEDAD3E22EFA7AAE1\r\nMSI\r\ninstaller\r\nWin32/TrojanDownloader.Banload.YJD\r\ntrojan\r\nBCDF0DDF98E3AA7D5C67063B9926C5D1C0CA6F3A\r\nDownloaded\r\npayload\r\nWin32/Spy.Casbaneiro.AJ trojan\r\nCampaign 2: What’s cooking? A fowl Windows activator\r\nSHA-1 Description ESET detection name\r\n8745197972071EDE08AA9F7FBEC029BED56151C2\r\nMSI\r\ninstaller\r\nJS/TrojanDownloader.Agent.TNX\r\ntrojan\r\nBC909B76858402B3CBB5EFD6858FD5954A5E3FD8 Re-Loader\r\nMSIL/HackTool.WinActivator.J\r\npotentially unsafe application\r\nCampaign 3: The most recent one\r\nSHA-1 Description ESET detection name\r\nDD2799C10954293C8E7D75CD4BE2686ADD9AC2D4 MSI installer\r\nJS/TrojanDownloader.Agent.TNX\r\ntrojan\r\n9DFFEB147D89ED58C98252B54C07FAE7D5F9FEA7\r\nDownloaded\r\npayload\r\nWin32/Spy.Casbaneiro.AJ trojan\r\nFiles distributed by Download \u0026 Execute\r\nSHA-1 Description ESET detection name\r\nC873ED94E582D24FAAE6403A17BF2DF497BE04EB Email tool MSIL/SpamTool.Agent.O trojan\r\nB3630A866802D6F3C1FA2EC487A6795A21833418 Password stealer Win32/PSW.Agent.OGH trojan\r\nFilenames\r\n%APPDATA%\\Spotify\\Spotify.exe\r\n%APPDATA%\\OneDrive\\OneDrive.exe\r\n%APPDATA%\\WhatsApp\\WhatsApp.exe\r\n%APPDATA%\\Sun\\Javar\\%RANDOM%\\%RANDOM%.exe\r\n%APPDATA%\\DMCache\\%RANDOM%\\%RANDOM%.exe\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 17 of 19\n\nRun key \u0026 values\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSpotify = %APPDATA%\\Spotify\\Spotify.exe\r\nOneDrive = %APPDATA%\\OneDrive\\OneDrive.exe\r\nWhatsApp = %APPDATA%\\WhatsApp\\WhatsApp.exe\r\n%Random% = %APPDATA%\\Sun\\Javar\\%RANDOM%\\%RANDOM%.exe\r\n%Random% = %APPDATA%\\DMCache\\%RANDOM%\\%RANDOM%.exe\r\nC\u0026C servers\r\nhostsize.sytes[.]net:7880\r\nagosto2019.servepics[.]com:2456\r\nnoturnis.zapto[.]org\r\n4d9p5678.myvnc[.]com\r\nseradessavez.ddns[.]net:14875\r\nBitcoin wallet\r\n18sn7w8ktbBNgsX8LeeeLMqKS84xMG54si\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access\r\nT1192 Spearphishing Link\r\nSome Casbaneiro campaigns start with a malicious\r\nlink in an email.\r\nT1193 Spearphishing Attachment\r\nSome Casbaneiro campaigns start with a malicious\r\nemail attachment.\r\nExecution\r\nT1073 DLL Side-Loading\r\nSome campaigns bundle a legitimate executable so\r\nas to use this technique in order to execute\r\nCasbaneiro.\r\nT1086 PowerShell\r\nOne distribution chain uses an obfuscated\r\nPowerShell script.\r\nPersistence T1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nCasbaneiro downloaders set up persistence via Run\r\nkey.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nCasbaneiro uses encrypted remote configuration\r\ndata and its commands are encrypted too.\r\nT1036 Masquerading\r\nCasbaneiro sometimes masquerades as or is\r\nbundled with a legitimate application.\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 18 of 19\n\nTactic ID Name Description\r\nT1064 Scripting\r\nPowerShell and JavaScript are used in Casbaneiro\r\ndistribution chains.\r\nCredential\r\nAccess\r\nT1056 Input Capture\r\nCasbaneiro contains a command to execute a\r\nkeylogger. It also steals contents from fake\r\nwindows it displays.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nCasbaneiro searches for various filesystem paths in\r\norder to determine what applications are installed\r\non the victim's machine.\r\nT1057 Process Discovery\r\nCasbaneiro searches for various process names in\r\norder to determine what applications are running on\r\nthe victim's machine.\r\nT1063 Security Software Discovery\r\nCasbaneiro scans the system for installed security\r\nsoftware.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nCasbaneiro extracts the version of the operating\r\nsystem.\r\nCollection\r\nT1115 Clipboard Data\r\nCasbaneiro captures and replaces bitcoin wallets in\r\nclipboard.\r\nT1113 Screen Capture\r\nCasbaneiro contains a command to take\r\nscreenshots.\r\nCommand and\r\nControl\r\nT1024\r\nCustom Cryptographic\r\nProtocol\r\nCasbaneiro uses three different custom\r\ncryptographic protocols.\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nCasbaneiro encrypts its commands using the\r\nstandard AES protocol.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nCasbaneiro sends the data it collects to its C\u0026C\r\nserver.\r\nSource: https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nhttps://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/\r\nPage 19 of 19\n\n x = data_enc[i] data_dec += ^ (k3 \u003e\u003e 8) \u0026 0xFF chr(x) \n key3 = ((x + key3) \u0026 0xFF) * key1 + key2\nreturn data_dec  \nFigure 7. Payload decryption algorithm \n   Page 5 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/"
	],
	"report_names": [
		"casbaneiro-trojan-dangerous-cooking"
	],
	"threat_actors": [],
	"ts_created_at": 1775434135,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8d7d29d72469d834d2adaa6670cfbd0be573a1f.pdf",
		"text": "https://archive.orkl.eu/c8d7d29d72469d834d2adaa6670cfbd0be573a1f.txt",
		"img": "https://archive.orkl.eu/c8d7d29d72469d834d2adaa6670cfbd0be573a1f.jpg"
	}
}