# Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware **seguranca-informatica.pt/latin-american-javali-trojan-weaponizing-avira-antivirus-legitimate-injector-to-implant-** malware/ February 16, 2021 **Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant** **malware.** In the last few years, many banking trojans developed by Latin American criminals have increased in volume and sophistication. Although exists a strong adoption of technologies with the goal of protecting the final user such as plugins, tokens, e-tokens, two-factorauthentication mechanisms, CHIP, PIN cards, and so on, online fraud is still on the rise and every day implementing new tactics, techniques, and procedures (TTP) to evade antivirus and Endpoint Detection & Response systems. In this article, we will into the details of the Javali trojan banker, **introduced and tracked by** **the Kaspersky Team, and targeting Latin American countries, including Brazil and Mexico** banking and financial organizations. ## Background of Latin American Trojans Javali trojan is active since November 2017 and targets users of financial and banking organizations geolocated in Brazil and Mexico. By analyzing this piece of malware, we found that Javali is using the same routines and calls often observed on other Latin American [trojans, such as Grandoreiro,](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/) **[URSA aka Mispadu, Lampion,](https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader)** **[Vadokrist,](https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/)** **[Amavaldo,](https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/)** **[Casbaneiro aka Metamorpho and Mekotio.](https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/)** ----- **_Figure 1: The most popular and dangerous Latin American trojans._** In short, part of these trojan families are using padding to enlarge the binary; empty sections [or even BPM images attached as a resource as described in this article related to the](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YCMNomj7QuV) **[Grandoreiro trojan. Other trojans use this technique as it allows to evade detection and](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YCMNomj7QuV)** execute the malicious code on the target machines bypassing detection based on static file signatures. Latin American trojans share the same modus operandi and even modules and blocks of code observed during the analysis of several malware samples. The following schema is an effort to present in a single high-level diagram the workflow of the most popular Latin American trojans. **_Figure 2: High-level diagram of the modus operandi of the most popular Latin American_** _banking trojans._ The malicious activity starts with a phishing email sent to the target victims in Latin American – Brazil, Mexico, Chile, and Peru – and Europe – Spain and Portugal. The initial stage of these trojans is generally the execution of a dropper in a form of a VBS, JScript, or MSI file that downloads from the Cloud (AWS, Google, etc.) the trojan loader/injector. After this step, the trojan itself – developed in Delphi – is executed into the memory manly using the DLL side loading technique or DLL injection, creating persistence using a .lnk file on the Windows Startup folder, or adding a new key in the machine registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) with the name and path of the .lnk file to guarantee the malware is executed every time the infected machine starts. The steps 7 and 8 from Figure 2, the malware obtains some details from the infected machine and report them to the C2 server, including the version of the Operating System (OS), architecture, the name of the installed antivirus and EDRs, computer name, and the victim’s geolocation. ----- From here, the malware executes a new thread when specific and hardcoded web-browsers are opened. The title of the accessed web-pages are collected and compared with the target organizations and services hardcoded and defined by crooks, generally the name of the banking portals, cryptocurrency portals, and financial firms. If these conditions match, the windows overlay process starts launching fake windows to lure victims. More details and comparisons between several threads and used TTPs can be found below [and by accessing the publication from ESET.](https://www.welivesecurity.com/wp-content/uploads/2020/09/ESET_LATAM_financial_cybercrime.pdf) ----- ----- **_Figure 3: MITRE ATT&CK table illustrating the features that Latin American banking trojans_** [share (full table and more details here).](https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/) As observed during the last few years, several threats share a lot of TTP and code, and that is a clear signal of cooperation between malicious groups. ## Discovering Javali trojan banker These days, the Javali trojan banker is one of the most popular trojan banker families in the [wild. According to the Kaspersky publication:](https://securelist.com/the-tetrade-brazilian-banking-malware/97779/) ----- **_Javali targets Portuguese- and Spanish-speaking countries, active since November_** **_2017 and primarily focusing on the customers of financial institutions located in Brazil_** **_and Mexico_** Since the details online about this threat are scarce, after a tweet of the malware hunter **[@JAMESWT_MHT on Twitter, we decided to go through the details of this specific trojan.](https://twitter.com/JAMESWT_MHT)** [#Spy](https://twitter.com/hashtag/Spy?src=hash&ref_src=twsrc%5Etfw) [#Ousaban](https://twitter.com/hashtag/Ousaban?src=hash&ref_src=twsrc%5Etfw) I Found old sample that work in same way of mentioned tweet [Referencehttps://t.co/NMjVNRHPjg](https://t.co/NMjVNRHPjg) [Run https://t.co/Biq98qBrhH](https://t.co/Biq98qBrhH) cc [@ffforward](https://twitter.com/ffforward?ref_src=twsrc%5Etfw) [@lazyactivist192](https://twitter.com/lazyactivist192?ref_src=twsrc%5Etfw) [@sirpedrotavares@sugimu_sec](https://twitter.com/sirpedrotavares?ref_src=twsrc%5Etfw) [@verovaleros@Jan0fficial](https://twitter.com/verovaleros?ref_src=twsrc%5Etfw) [@guelfoweb@1ZRR4H](https://twitter.com/guelfoweb?ref_src=twsrc%5Etfw) [@__4ndr3y](https://twitter.com/__4ndr3y?ref_src=twsrc%5Etfw) [https://t.co/cpzQA4SpNU](https://t.co/cpzQA4SpNU) [pic.twitter.com/szw5ngFr6z](https://t.co/szw5ngFr6z) — JAMESWT (@JAMESWT_MHT) [February 3, 2021](https://twitter.com/JAMESWT_MHT/status/1356993036874563586?ref_src=twsrc%5Etfw) As observed in another Latin American banking trojans from Figure 3, part of the most popular trojans are disseminated using the most dangerous vehicle of threat’s proliferation: email protocol. As this protocol relies on a strong and complex “mesh” around him to catch the fish, the end-user is every time the final decision maker: open or not open the fresh email. Next, an email template used by Javali to lure victims is presented. ----- **_Figure 4: Email template used by Javali banking trojan._** The Javalis’ modus operandi is based on the workflow previously explained in Figure 2 and [related to other threats such as Vadokrist,](https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/) **[Lampion,](https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/#.YCvft2j7RPY)** **[URSA,](https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader)** **[Amavaldo, and](https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/)** **[Casbaneiro.](https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/)** After opening the URL distributed on the email body, a ZIP file is then downloaded from the Internet. For this, Cloud services are often used by crooks including Google, S3 Buckets from AWS, and MediaFire file sharing service. The next diagram demonstrates how Javali trojan banker works. ----- **_Figure 5: High-level diagram of Javali trojan banker._** As mentioned, in general, this trojan was developed using the same architecture of other Latin American trojans, and the main steps of the infection chain are described below and analyzed in-depth during the next sections of this article. In short, the phishing email is received by victims. By opening an URL it downloads from the Internet (Cloud services) a ZIP file with an MSI executable inside (1, 2). The MSI file contains a JavaScript payload hardcoded, then executed via wscript.exe (3) that will create persistence on the infected machine (4) and also download the final files from an AWS S3 bucket (5). The Avira.exe file, a legitimate PE file from the Avira Antivirus firm, is then used as an injector to take advantage of a technique dubbed DLL side-loading and loading into the memory a huge DLL “Avira.OE.NativeCore.dll” (6) as a child of a legitimate Parent Process ID (PPID). When executed, the Javali trojan starts its operation and immediately gets the malware configuration from doc files available on Google Cloud (7). Next, the trojan collects information from web-browsers (8) searching for target tabs opened related to hardcoded banking/financing portals and starts the malicious overlay activity presenting fake windows to victims (9, 10, 11, 12, and 13). ----- ## MSI file – The Javali Dropper **Filename: FT.FATURA.EKFUHLWS+LUVPBC0DGZUWISOAPDK.msi** **MD5: 70aa68c29622df360dea76daa4255835** **Creation time: 2/5/2021 7:10:49 AM** The MSI file has hardcoded a JavaScript payload inside as observed in Figure 6. This stage will be executed and download next step. **_Figure 6: JScript file hardcoded inside the MSI file and then executed via wscript.exe on the_** _target machine._ After some rounds of deobfuscation, we found some interesting strings and the blocks of code responsible for creating persistence on the machine and also downloading a ZIP file from an AWS S3 bucket dropped into the User’s public folder: _C:\Users\Public\Documents\random_name._ ----- **_Figure 7: JScript file partially deobfuscated._** Although some parts of the code still obfuscated, we can understand the basic operation of this piece of malware by debugging it on a debugger. This is a trick valid for other Jscript files executed via wscript.exe. By debugging it and adding a breakpoint on the “ws2_32.GetAddrInfoW” call, we can observe the moment the malware downloads the next stage from the Internet (AWS S3 bucket). ----- **_Figure 8: Getting the AWS S3 bucket address by debugging the JScript payload._** The downloaded ZIP file is stored into the “C:\Users\Public\Documents” directory, inside a random folder created during the dropper execution. After that, the following files are extracted, namely: **Avira.exe: Legitimate injector from Avira Antivirus.** **Avira.OE.NativeCore.dll: malicious DLL used during the DLL side-loading process.** **msvcp120.dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C** RUNTIME LIBRARY. **msvcr120.dll: Windows legitimate DLL for runtime dependencies – MICROSOFT® C** RUNTIME LIBRARY. **rundll32.dll: Copy of the Avira.exe injector used to start the trojan when the Jscript** terminates its execution. ----- ``` Avira.exe 8CBB75FEBFB4B0B7C3B6D3613386220C Avira.OE.NativeCore.dll 83c49ccc03e4abfad28e278ce98b4537 msvcp120.dll FD5CABBE52272BD76007B68186EBAF00 msvcr120.dll 034CCADC1C073E4216E9466B720F9849 rundll32.exe 8CBB75FEBFB4B0B7C3B6D3613386220C ``` **_Figure 9: Javali trojan and all the files used during the infection chain._** Persistence is achieved by creating a .lnk file in the Windows startup folder and also a registry key pointing to this .lnk file. ``` [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] created: CREATED device: DISK_FILE_SYSTEM name: C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAAMKHQWFW.lnk object: FILE operation: CREATE status: 0x00000000 time: 10453 ms ``` ----- **_Figure 10: Javali trojan persistence technique (Windows startup folder + registry_** _CurrentVersion\Run)._ ## Javali injector – Weaponizing Avira legitimate executable **Filename: Avira.exe / rundll32.exe** **MD5: 8CBB75FEBFB4B0B7C3B6D3613386220C** **Creation time: 1/25/2021 4:38:25 AM** Javali trojan takes advantage of a legitimate executable from Avira Antivirus firm to inject into the memory a malicious DLL that impersonates the legitimate DLL: **_Avira.OE.NativeCore.dll. This technique is known as DLL side-loading aka DLL hijacking by_** abusing of vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests [are not explicit enough about characteristics of the DLL to be loaded (T1574).](https://attack.mitre.org/techniques/T1574) As observed below, the injector is a legitimate file and with a valid digital signature from **Avira Operations GmbH & Co. KG.** ----- **_Figure 11: Javali uses as injector a legitimate executable from Avira antivirus._** DLL side-loading is used as the favored execution method by Latin American threat groups and 22 different binaries have been abused to load into the memory malicious code. In a **[publication from ESET, some products were described, including binaries from Microsoft,](https://www.welivesecurity.com/wp-content/uploads/2020/09/ESET_LATAM_financial_cybercrime.pdf)** Oracle, several security companies, NVIDIA, VMWare, Avira, and others used as injectors in Amavaldo, Casbaneiro, Mekotio, Vadokrist, and Javali trojans. |Product|Filename|DLL name| |---|---|---| |Microsoft Corporation CTF Loader|ctfmon.exe|MsCtfMonitor.dll; AppGetLoader.dll; CryptUI.dll| |Microsoft Corporation OLE/COM Object Viewer|OLEView.exe|IViewers.dll| |Microsoft ECM Certificate Manager|CertMgr.exe|CryptUI.dll| |Microsoft Office Picture Manager|Ois.exe|MSOCF.dll| ----- |Product|Filename|DLL name| |---|---|---| |Java(TM) Platform SE 8 (cmd-line launcher)|jjs.exe|jli.dll| |Java(TM) Platform SE 8 (Remote Method Invocation)|java-rmi.exe|jli.dll| |Java(TM) Platform SE 8 (Kerberos)|kinit.exe|jli.dll| |Avira|Avira.SysTrayStartTrigger.exe|Avira.OE.NativeCode.dll| |Avast Dump Process|avDump32.exe|Dbghelp.dll| |AVG Dump Process|avDump32.exe|Dbghelp.dll| |G DATA Personal Firewall|GDFwAdmin.exe|GDFwAdmin.dll| |G DATA Security Software|AVK.exe|Avk.dll| |COMODO Internet Security|CisTray.exe|Cmdres.dll| |NVIDIA 3D Vision Test Application|Nvsttest.exe|D3d8.dll| |NVIDIA Smart Maximise Helper Host|NvSmartMaxApp.exe|NvSmartMax.dll| |VirtualBox Guest Additions Tray Application|VBoxTray.exe|Mpr.dll| |VMware NAT Service|Vmnat.exe|Shfolder.dll| |WinGup for Notepad++|Gup.exe|Libcurl.dll| |Disc Soft Bus Service Pro (DAEMON Tools Pro)|DiscSoftBusService.exe|Imgengine.dl| |Bartels Media GmbH Macro Recorder|MacroRecorder.exe|Mrkey.dll| |Stonesoft VPN Client Service|Sgvpn.exe|Wtsapi32.dll| |OOO Lightshot Starter Module|Lightshot.exe|Lightshot.dll| ----- [Also, BitDefender published an article in reference to this vulnerability used by Casbaneiro](https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf) aka Metamorfo trojan to execute the malware as a child of a trusted process. In fact, legitimate applications are digitally signed with an Authenticode (code-signing) certificate. This is the proof and seen as a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges. In this way, if the User Account Control (UAC) prompts the victim that the antivirus engine wants to make changes on the system, well, users probably will not question it. On the other hand, many antivirus and Endpoint Detection & Response systems can be avoided using this vulnerability, as the injector is legitimate, code-signed, authentic, and comes from a wellknown security firm – Avira. **_Figure 12: Legitimate injector from Avira – digitally signed, authentic, and trusted during the_** _injection process allowing to bypass security engines such as AV and EDR._ ## Avira injector – Digging into the details There is a lot of methods to take advantage of DLL side-loading vulnerability by examining the DLL imports. Figure 13 shows the Avira.exe DLL Import Table Address (IAT) which includes the functions: **MakeTrayIconVisible** **Avira::OE::NativeCore::OeProductInfo::GetLanguage(void)const** ----- **_Figure 13: Calls loaded from a legitimate external DLL (Avira.OE.NativeCore.dll)._** Validating the external DLLs and calls must involve more than checking for the correct filename and calls names. In this way, every time a DLL is loaded from the side-by-side directory and adjacent to the primary PE file needs to be validated for these functions. Usually, executables using the side-by-side feature will have these resources located in the embedded manifest file. In detail, the name passed to LoadLibrary() / LoadLibraryEx() call not need specify a specific path. If a path is passed, then the library is only loaded from the specific path. Otherwise, the following Windows default DLL search order is used: 1. The current process image file directory – the application directory. 2. The system directory (e.g. system32 folder). 3. The 16-bit system directory. 4. The windows directory. 5. The current working directory. 6. The directories listed in the PATH environment variable. After analyzing the legitimate injector, we can see that the CreateFile() and ReadFile() functions are used to load into the memory the external DLL from the current process image file directory. ----- **_Figure 14: Avira.exe injector vulnerable to DLL side-loading attack abused by Javali trojan._** In sum, we recommend the following strategy should be kept in mind to ensure secure loading of libraries: **Use proper DLL search order.** **Make use of code signing infrastructure or AppLocker.** **Ensure that the full path is hardcoded avoiding relative paths for any resources.** **Confirm that the imported DLL actually exists.** **Ensure that all the imported functions are valid and not empty.** **Utilize DLL redirection or a manifest.** **Code-signing – Microsoft Authenticode technology.** ## Final stage – Javali trojan banker **Filename: Avira.OE.NativeCore.dll** **MD5: 83c49ccc03e4abfad28e278ce98b4537** **Creation time: 2/2/2021 3:47:39 AM** **_Code-signing (Microsoft Authenticode technology) can be used to sign the DLL, which is_** to attach digital signatures to the DLL to guarantee its authenticity and integrity. ----- By comparing the legitimate and malicious DLL, we can see that the malicious one is not signed in contrast to the legitimate one (Figure 15). Also, the External Address Table (EAT) is maintained including the two required calls that are invoked, otherwise, the injector could crash during its execution (Figure 16). Below, we can see that the “spoofed” DLL is not digitally signed, and even the size of the file is bigger than the original from Avira. **_Figure 15: Malicious (spoofed) DLL without digital signature and the file was enlarged to_** _bypass detection. Otherwise, the original DDL from the Avira firm is digitally signed._ As observed in Figure 16, the exported calls on the right-side (malicious DLL) don’t have a name – the sections’ names are empty – and the OEP is pointing to the .data section. At the first glance, this is a clear signal that something is wrong, even looking at the EAT, we can find many strange and empty sections to enlarge the DLL size. Also, the original file name and compilation date are different between the legitimate (leftside) and the malicious DLL (right-side). Although the ordinals are different, the base calls of the legitimate DLL were maintained, and only the main calls were overwritten with the malicious code. ``` ---overwritten functions--MakeTrayIconVisible Avira::OE::NativeCore::OeProductInfo::GetLanguage(void)const ``` ----- **_Figure 16: Principal differences between the Legitimate DLL from Avira versus the malicious_** _DLL._ The Javali DLL is packed and enlarged with junk – a well-known technique used by Latin American trojans such as Grandoreiro and Lampion in order to evade detection. When executed in memory, the malware is unpacked by blocks using the virtualization code of the **[Enigma protector.](https://enigmaprotector.com/)** **_The unique technology which allows combining the files used by your application into_** **_a single module without loss of efficiency. This function supports all kinds of files,_** **_including dll, ocx, mp3, avi, etc. Virtual Box will protect your files and prevent them_** **_from being copied and used in third-party products._** After bypassing this initial restriction, we can see below (right-side) the Javali trojan DLL partially unpacked. ----- **_Figure 17: Javali trojan – Enigma packed DLL vs partially unpacked DLL._** The malicious DLL has a size of 570 MB in disk because it was compiled with empty sessions. When it is executed into the memory, unpacked and the empty sessions are cleaned, the library is a binary of 30 MB. ----- **_Figure 18: Unpacked DLL – 30 MB versus packed DLL – 570 MB._** Once the binary is unpacked, at this time it’s possible to obtain the images that are used during the windows overlay process. As observed below, this time the resources are unpacked and can be analyzed. **_Figure 19: Packed resources vs unpacked resources._** At this point, internal capabilities and implemented TTP can be analyzed by reversing the Delphi code as well ----- **_Figure 20: Javali trojan – Delphi forms._** ## Javali configuration obtained from Google Docs Javali trojan communicates with Google Docs files to obtain its configuration, including the address of the C2 server. If it is not able to connect to the address, it uses a hardcoded one. Javali checks for connectivity by sending a web request to the ipinfo.io service. ``` 6EEE36B7,"mov eax,avira.oe.nativecore.6EF188B4","&L""Windows 7 Ultimate""" 6EEE36CB,"mov eax,avira.oe.nativecore.6EF0E4C0","&L""BAUdGYGlgX3wUY4XrGGt9z6CrGnnlmpgCaEIjtxxxxxxxxx 6EEE36DF,"mov eax,avira.oe.nativecore.6EF188BC","&L""TUBA-01""" 6EEE3757,"mov eax,avira.oe.nativecore.6EF18900","&L""1724526122""" 6EEE376B,"mov eax,avira.oe.nativecore.6EF1891C","&L""Windows 7""" 6EEE3789,"mov eax,avira.oe.nativecore.6EF18930","&L""http://ipinfo.io/json""" 6EEE3793,"mov eax,avira.oe.nativecore.6EF18934","&L""xx.46.179.xx""" 6EEE37CF,"mov eax,avira.oe.nativecore.6EF1894C","&L""hxxps://docs.google.]com/document/d/15dKy9iPdfK 6EEE37D9,"mov eax,avira.oe.nativecore.6EF18950","&L""hxxps://docs.google.]com/document/d/16OdxMD6j6d 6EEE37E3,"mov eax,avira.oe.nativecore.6EF18954","&L""hxxps://claricepss.webcindario.]com/pgl/index.p 6EEE380B,"mov eax,avira.oe.nativecore.6EF18970","&L""191.232.170.12""" 6EEE3815,"mov eax,avira.oe.nativecore.6EF18974","&L""25325""" ``` ----- **_Figure 20: Javali process of getting config from Google Docs and communication with C2_** _server._ The list of Google docs hardcoded inside the Javali file is presented below: ``` hxxps://docs.google].com/document/d/15dKy9iPdfKKUyI5JEn6lyhxramzevtn0siixKmnfNB0/edit hxxps://docs.google].com/document/d/15i3BIlOzTNOF3cIgA-o8YYa-u24q-DdcalWi5JMyxeU/edit hxxps://docs.google].com/document/d/18dBH_hLqlszwezEZkeFfACFo-nhCHHoCwc6qyxdoA2Y/edit hxxps://docs.google].com/document/d/18qfnad3gLJeUsZxZo-iRkYShxp72q5Ct4sUvCXxl0Ng/edit hxxps://docs.google].com/document/d/1E3RFnE4dlzD_wL96hMzNBlZZ8vNS-mM_Q48lDUFzwFA/edit hxxps://docs.google].com/document/d/1IM9fNp--iWLQPUVKjHBZUOwfi9Yv_BuUSojQTCidU3U/edit hxxps://docs.google].com/document/d/1MezQvI_dk_5R4zn_i5dhfSd86KULlFPCsNIUPEu-ZR8/edit hxxps://docs.google].com/document/d/1OetWS-gLaMbPBcxDQaVbNcYXb7hL4BsR8X_ouI-hz1g/edit hxxps://docs.google].com/document/d/1T-hcyJWouUdAIZ19DZ_guh723zgpL2H2c4kpcBL0Tqg/edit hxxps://docs.google].com/document/d/1UwICJoIrrey05PhmMpKVB2g3tMf9PYk4A-UeFHEOIsw/edit hxxps://docs.google].com/document/d/1W2GHf0vyCLNhVIDxF126mvbKFS9VC2RqU4n-5EXMZLA/edit hxxps://docs.google].com/document/d/1YTBuav90AWfG24KrZ25h41GnVXIzh3cSapf0sF5n8QI/edit hxxps://docs.google].com/document/d/1bGyEiUhvY1HvEkbIS7pNPWCODIRrfTyvK2TJLwEFgrw/edit hxxps://docs.google].com/document/d/1fUCxFdZGv3BUIMtba8tItJAJA3SY4ZR8UHPW0loT80Y/edit hxxps://docs.google].com/document/d/1iN1UvBtln4jXxMgNpGqGl3NF_YN1lhE_Ei11E2odFdo/edit hxxps://docs.google].com/document/d/1jR8nCxVdi4vnNUlLCpKz3LbpPK9RMzW3_hWGNgpe2nY/edit hxxps://docs.google].com/document/d/1o-b6lH-aadYKV1jr7imBgUiXgIFNwrkI-9aHlVAa4JQ/edit hxxps://docs.google].com/document/d/1ogLFEFF4G0PHJM2LBjd3dKFB4tAGiaTiUb2BA0ouuac/edit hxxps://docs.google].com/document/d/1pCA24HnsioJ0HqApuc9Zf5hGcgJjxskpImUAmarbtfU/edit hxxps://docs.google].com/document/d/1phEs-b8IHsTy84f670zIzyQFgRKsqQGOofFAcH3CdkI/edit hxxps://docs.google].com/document/d/1qcT11IVn26rKBJAA4gPpUcHFwIP4i4wGF2QBgIVquwM/edit hxxps://docs.google].com/document/d/1tRSWPhiV-KIYTOJaR-Dd1MLvYRsPmBsU5Hzxu8tg4-E/edit hxxps://docs.google].com/document/d/1wG-npl-Rx1WT00cYpjvrE_V_PzzxuavKLkpvYReLjvw/edit ``` ----- **_Figure 21: Javali configuration obtained from Google Docs._** The strings of the Google Docs files are encrypted and the algorithm used to encrypt strings [comes from the “Mestres da Espionagem Digital” book also used in another Latin](https://books.google.pt/books?id=0PdDnywBKl0C&printsec=frontcover&redir_esc=y#v=onepage&q&f=false) [American banking trojan such as Casbaneiro.](https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/) Criminals also used a public library called DCPCrypt – a library responsible for encrypting buffers with various algorithms. As observed in Figure 22, each of these algorithm classes have string identifiers beginning with DCP string such as DCPPcrypt2, DCPsha512, _DCP_blockcipher128, etc. This library is used to facilitate the encryption communication_ between the compromised machine and the C2 server via HTTPS protocol. ----- **_Figure 23: Classe names of cryptographic algorithms used by Javali trojan._** On the other side, the host information retrieved from Google Docs is obfuscated for obvious [reasons. Javali also adopts another third-party library named IndyProject for communication](https://www.indyproject.org/) with the C2. **_Indy is an open-source client/server communications library that supports_** **_TCP/UDP/RAW sockets, as well as over 100 higher level protocols including SMTP,_** **_POP3, IMAP, NNTP, HTTP, FTP, and many more. Indy is written in Delphi but is also_** **_available for C++Builder and FreePascal._** ----- **_Figure 24: IndyProject third-party library used by Javali._** From the analysis of Javali’s sample, information about C2 where extracted. By comparing the first URL “claricepss.webcindario.]com” with other subdomains from “webcindario.]com” which translates to IP 5.57.226.]202, we can found that the domain has been used for a long time by Brazilian criminals in campaigns this line. ``` 6EEE37E3,"mov eax,avira.oe.nativecore.6EF18954","&L""hxxps://claricepss.webcindario.]com/pgl/index.p 6EEE380B,"mov eax,avira.oe.nativecore.6EF18970","&L""191.232.170.]12""" 6EEE3815,"mov eax,avira.oe.nativecore.6EF18974","&L""25325""" 51.103.136.]92/nave/index.php ``` For example, other directories were found upon the subdomain “claricepss” as observed below with malicious landing pages related to banking organizations available and used to capture the victims’ credentials. ``` [13:38:54] 301 - 6KB - /bb -> https://claricepss.webcindario.]com/bb/ [13:39:05] 301 - 6KB - /cadastro -> https://claricepss.webcindario.]com/cadastro/ [13:39:18] 301 - 6KB - /chrome -> https://claricepss.webcindario.]com/chrome/ [13:39:20] 301 - 6KB - /black -> https://claricepss.webcindario.]com/black/ [13:39:21] 301 - 6KB - /imap -> https://claricepss.webcindario.]com/imap/ [13:39:23] 301 - 6KB - /casa -> https://claricepss.webcindario.]com/casa/ [13:39:30] 301 - 6KB - /pgl -> https://claricepss.webcindario.]com/pgl/ [13:39:57] 301 - 6KB - /deco -> https://claricepss.webcindario.]com/deco/ [13:40:52] 301 - 6KB - /xy -> https://claricepss.webcindario.]com/xy/ ``` ----- **_Figure 25: Banking landing-page used to collect credentials and lure victims during the_** _infection process._ Next, we can observe the output from the C2 server of Javali trojan banker, with the last infected victims and their geolocation, and also extracted passwords from online services hardcoded inside the malware such as: **kinghost.]com].br** **uolhost.]com.]br** **terra.]com.]br** ----- ----- **_Figure 26: C2 dashboard with last infections and victims’ credentials._** In detail, these fake pages are shown during the infection chain in order to collect credentials. Criminals control all the workflow and victims’ navigation in the background and [in real-time as detailed in this article related to a huge phishing campaign this nature –](https://seguranca-informatica.pt/the-evolution-of-phishing-infrastructure-a-large-scale-campaign-called-anubis-that-targets-brazilian-and-portuguese-internet-users/#.YCqRAWj7QuU) **[Anubis Phishing Network.](https://seguranca-informatica.pt/the-evolution-of-phishing-infrastructure-a-large-scale-campaign-called-anubis-that-targets-brazilian-and-portuguese-internet-users/#.YCujimj7RPY)** ## Window overlay process ----- When victims access a specific banking or financial portal, the malware triggers a new thread to launch the overlay windows. If the accessed portal matches the hardcoded banking organizations, Javali sends to the C2 a simple request with information about the infected machine separated by markers such as “|” and “<“. Full list of hardcoded banking and financial organizations: ----- ``` x2ddad8c (16): CrediSiS 0x2ddadb4 (16): Viacredi 0x2ddaddc (16): CIDETRAN 0x2ddae04 (16): Daycoval 0x2ddae2c (22): BRB Banknet 0x2ddae54 (20): Banco Alfa 0x2ddae7c (16): NBC BANK 0x2ddaea4 (22): Pine Online 0x2ddaecc (22): Banco Safra 0x2ddaef4 (16): Banestes 0x2ddaf1c (22): Banco Inter 0x2ddaf44 (18): Banco BNB 0x2ddaf6c (18): Mercantil 0x2ddaf94 (18): Santander 0x2ddafbc (16): Banco It 0x2ddafe4 (18): Bradesco 0x2ddb00c (22): [bb.com.br] 0x2ddb034 (16): R4pp0rt 0x2ddb05c (16): core.exe 0x2ddb084 (22): SunAwtFrame 0x2ddb0ac (16): Cursor_1 0x2ddb0d4 (20): DWMAPI.dll 0x2ddb0fc (18): Banco Ita 0x2ddb124 (16): BL-0.ini 0x2ddb14c (22): default_set 0x2ddb174 (22): \ConfXTheme 0x2ddb19c (18): Microsoft 0x2ddb1c4 (16): KingHost 0x2ddb1ec (16): Locamail 0x2ddb214 (20): Terra Mail 0x2ddb23c (20): E-mail UOL Aplicativo Itaú itauaplicativo.exe Banco Itaú Aplicativo sicoob sicoob AplicativoBradesco.exe NavegadorExclusivoBradesco.exe Aplicativo bradesco Banco Bradesco Banco do Brasil Banco Bradesco | Pessoa Física, Exclusive, Prime e Private Bradesco Pessoa jurídica | Bradesco Bradesco JuJu Banco Itáu Santander Banco Santander Sicredi Banco Sicredi Mercantil Banco Mercantil internetbanking Caixa Economica Banco Sicoob ``` ----- ``` Unicred Portal Banco Unicred Internet Banking BNB Banco BNB Banco Inter Banco Intermedium Banco MUFG Brasil S.A. Banestes - Internet Banking Banestes Internet Banking Banpará Cetelem | Login Cooperativa de Crédito Nova Home | Internet Banco Safra BANCO PAULISTA UNICRED UniprimeCentral Bem vindo ao seu BMG Portal - Banco Votorantim Pine Online NBC BANK Tribanco Online Banco Alfa Banco Indusval & Partners Portal Internet Banrisul Banco Original Acesse sua conta Celcoin Login - Nubank BRB Banknet Banco de Brasília Banco da Amazônia Banese BancoTopazioInternetBanking BancoIndustrial Banco Industrial Daycoval CIDETRAN Viacredi Mercado Pago CrediSiS ``` As described, Javali is monitoring the accessed web-pages on the victim side. When a match is achieved, the communication with the C2 servers starts. The C2 server is geolocated in Brazil, and a new port is generated dynamically each execution between a well-defined range. Socket communication is established using the IndyProject library. ----- **_Figure 27: Communication with the C2 server during the windows overlay process._** ----- As mentioned several times during this analysis, code sharing has been seen in different Latin American trojans. This kind of socket communication can be also observed during the **[Lampion trojan activity.](https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/#.YCul9Gj7RPY)** More, hardcoded C2 endpoints inside the Javali can be related to Grandoreiro activity as **[described in this article.](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YCumL2j7RPY)** **Javali C2 endpoints hardcoded** **Grandoreiro C2 endpoints (right-side)** **_Figure 28: Grandoreiro C2 endpoints found hardcoded in the Javali sample._** ----- As with many other banking trojans, Javali supports several backdoor commands. The capabilities of these commands include: **Obtaining screenshots with the help of the Windows Magnifying API, imported** **from Magnification.dll.** **Logging keystrokes** **Downloading and executing further payloads** **Restricting access to various banking websites** **Mouse and keyboard simulation** **Blocking the access to several Windows applications during the malware** **execution (such as Task Manager)** **Self-updating** **Stealing credentials from several email services, and banking/financial portals.** ## Final Thoughts Javali is a potent piece of malware, whose primary capability is theft of banking information and other personal information from the user machine and sends it to the C2 server. This trojan abuses a legitimate injector from Avira Firm to create a child process and loads into the memory a protected DLL with the trojan operations. With this technique in place, bypassing some AV and EDR is possible and the trojan-activity can be masqueraded for a long time. From Javali’s analysis, we can conclude that Latin American operators are sharing code between different trojans such as **[Lampion,](https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/#.YCvft2j7RPY)** **[URSA,](https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/#.YCvk6Wj7RPY)** **[Grandoreiro,](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/)** **[Casbaneiro, and so on.](https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/)** Finally, the trojan is a dangerous weapon, with the capabilities to self-update itself, capture keystrokes and mouse movements, take screenshots, block access the several Windowsbased applications and banking and financial portals, and starting the windows overlay process when a legitimate portal is accessed. Screenshots of the windows launched by Javali, Mitre Att&ck Matrix, and other IOCs are presented below. ## Windows overlay extracted from Javali trojan ----- ----- ## Mitre Att&ck Matrix **Tactic** **ID** **Name** **Description** **Initial** **Access** [T1192](https://attack.mitre.org/techniques/T1192/) Spearphishing Link Javali campaigns start with a spear-phishing email. [T1193](https://attack.mitre.org/techniques/T1193/) Spearphishing Attachment Java campaigns start with a malicious email attachment (.zip file). **Execution** [T1073](https://attack.mitre.org/techniques/T1073/) DLL Side-Loading Javali campaigns are using a legitimate executable from Avira Firm to inject into the memory a malicious DLL. **Persistence** [T1060](https://attack.mitre.org/techniques/T1060/) Registry Run Keys / Startup Folder Javali gets persistence via Run key. Javali uses encrypted remote configuration from Google Docs and its commands are also encrypted. **Defense** **Evasion** [T1140](https://attack.mitre.org/techniques/T1140/) Deobfuscate/Decode Files or Information [T1036](https://attack.mitre.org/techniques/T1036/) Masquerading Javali masquerades itself with a legitimate application (Avira antivirus). ----- [T1064](https://attack.mitre.org/techniques/T1064/) Scripting PowerShell and JavaScript are used in Javali distribution chain. **Credential** **Access** [T1056](https://attack.mitre.org/techniques/T1056/) Input Capture Javali contains a command to execute a keylogger. It also steals contents from fake windows overlay. **Discovery** [T1083](https://attack.mitre.org/techniques/T1083/) File and Directory Discovery Javali searches for various filesystem paths in order to determine what applications are installed on the victim’s machine. [T1057](https://attack.mitre.org/techniques/T1057/) Process Discovery [T1063](https://attack.mitre.org/techniques/T1063/) Security Software Discovery [T1082](https://attack.mitre.org/techniques/T1082/) System Information Discovery Javali searches for various process names in order to determine what applications are running on the victim’s machine. Javali scans the system for installed security software. Javali extracts the version of the operating system. **Collection** [T1113](https://attack.mitre.org/techniques/T1113/) Screen Capture Javali contains a command to take screenshots via Windows API. **Command** **and Control** [T1024](https://attack.mitre.org/techniques/T1024/) Custom Cryptographic Protocol **Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over Command and Control Channel ## Indicators of Compromise (IOCs) Javali uses cryptographic protocols to communicate with C2 server. Javali sends the data it collects to its C&C server. ----- ``` samples FT.FATURA.EKFUHLWS+LUVPBC0DGZUWISOAPDK.msi MD5: 70aa68c29622df360dea76daa4255835 Avira.exe MD5: 8CBB75FEBFB4B0B7C3B6D3613386220C Avira.OE.NativeCore.dll MD5: 83c49ccc03e4abfad28e278ce98b4537 msvcp120.dll MD5: FD5CABBE52272BD76007B68186EBAF00 msvcr120.dll MD5: 034CCADC1C073E4216E9466B720F9849 rundll32.exe MD5: 8CBB75FEBFB4B0B7C3B6D3613386220C --AWS S3 bucket-hxxps://hipermercado.s3-sa-east-1.amazonaws.]com/bretas.]png --C2 server-191.232.170.]12 191.232.170.]12:35730 191.232.170.]1 191.232.177.]237 --banking overlay fake pages-51.103.136.]92/nave/index.php https://claricepss.]webcindario.]com/pgl/index.php hxxps://claricepss.webcindario.]com/bb/ hxxps://claricepss.webcindario.]com/cadastro/ hxxps://claricepss.webcindario.]com/chrome/ hxxps://claricepss.webcindario.]com/black/ hxxps://claricepss.webcindario.]com/imap/ hxxps://claricepss.webcindario.]com/casa/ hxxps://claricepss.webcindario.]com/pgl/ hxxps://claricepss.webcindario.]com/deco/ hxxps://claricepss.webcindario.]com/xy/ --Google Docs files w/ config-hxxps://docs.google].com/document/d/15dKy9iPdfKKUyI5JEn6lyhxramzevtn0siixKmnfNB0/edit hxxps://docs.google].com/document/d/15i3BIlOzTNOF3cIgA-o8YYa-u24q-DdcalWi5JMyxeU/edit hxxps://docs.google].com/document/d/18dBH_hLqlszwezEZkeFfACFo-nhCHHoCwc6qyxdoA2Y/edit hxxps://docs.google].com/document/d/18qfnad3gLJeUsZxZo-iRkYShxp72q5Ct4sUvCXxl0Ng/edit hxxps://docs.google].com/document/d/1E3RFnE4dlzD_wL96hMzNBlZZ8vNS-mM_Q48lDUFzwFA/edit hxxps://docs.google].com/document/d/1IM9fNp--iWLQPUVKjHBZUOwfi9Yv_BuUSojQTCidU3U/edit hxxps://docs.google].com/document/d/1MezQvI_dk_5R4zn_i5dhfSd86KULlFPCsNIUPEu-ZR8/edit hxxps://docs.google].com/document/d/1OetWS-gLaMbPBcxDQaVbNcYXb7hL4BsR8X_ouI-hz1g/edit hxxps://docs.google].com/document/d/1T-hcyJWouUdAIZ19DZ_guh723zgpL2H2c4kpcBL0Tqg/edit hxxps://docs.google].com/document/d/1UwICJoIrrey05PhmMpKVB2g3tMf9PYk4A-UeFHEOIsw/edit hxxps://docs.google].com/document/d/1W2GHf0vyCLNhVIDxF126mvbKFS9VC2RqU4n-5EXMZLA/edit hxxps://docs.google].com/document/d/1YTBuav90AWfG24KrZ25h41GnVXIzh3cSapf0sF5n8QI/edit ``` ----- ``` hxxps://docs.google].com/document/d/1bGyEiUhvY1HvEkbIS7pNPWCODIRrfTyvK2TJLwEFgrw/edit hxxps://docs.google].com/document/d/1fUCxFdZGv3BUIMtba8tItJAJA3SY4ZR8UHPW0loT80Y/edit hxxps://docs.google].com/document/d/1iN1UvBtln4jXxMgNpGqGl3NF_YN1lhE_Ei11E2odFdo/edit hxxps://docs.google].com/document/d/1jR8nCxVdi4vnNUlLCpKz3LbpPK9RMzW3_hWGNgpe2nY/edit hxxps://docs.google].com/document/d/1o-b6lH-aadYKV1jr7imBgUiXgIFNwrkI-9aHlVAa4JQ/edit hxxps://docs.google].com/document/d/1ogLFEFF4G0PHJM2LBjd3dKFB4tAGiaTiUb2BA0ouuac/edit hxxps://docs.google].com/document/d/1pCA24HnsioJ0HqApuc9Zf5hGcgJjxskpImUAmarbtfU/edit hxxps://docs.google].com/document/d/1phEs-b8IHsTy84f670zIzyQFgRKsqQGOofFAcH3CdkI/edit hxxps://docs.google].com/document/d/1qcT11IVn26rKBJAA4gPpUcHFwIP4i4wGF2QBgIVquwM/edit hxxps://docs.google].com/document/d/1tRSWPhiV-KIYTOJaR-Dd1MLvYRsPmBsU5Hzxu8tg4-E/edit hxxps://docs.google].com/document/d/1wG-npl-Rx1WT00cYpjvrE_V_PzzxuavKLkpvYReLjvw/edit ## Online Sandbox URLs ``` **FATURA.EKFUHLWS+LUVPBC0DGZUWISOAPDK.msi:** https://www.virustotal.com/gui/file/3c02cff7aa1784336ec96fce16cac267c812ce98ab6a7497c 8b7f8c44c54a1e9/detection **Avira.exe:** https://www.virustotal.com/gui/file/f495d7c5c98457febc42ec96a959293788f6915e4245899d 3bb1808ab84f0d9a/detection **Avira.OE.NativeCore.dll:** https://www.virustotal.com/gui/file/bdfa6dbba717b8faf4e0a049e90c6451b1980695f12b59d3d 8d2ee6ef22e4da6/details ## Yara rule ``` import "pe" rule Javali_february_2021 { meta: description = "Yara rule for Javali trojan - February version" author = "SI-LAB - https://seguranca-informatica.pt" last_updated = "2021-02-16" tlp = "white" category = "informational" condition: filesize > 1000KB and pe.characteristics & pe.DLL and pe.exports("IsAviraSignedFile") and pe.exports("MakeTrayIconVisible") } ``` [Yara rule can be found on GitHub.](https://github.com/sirpedrotavares/SI-LAB-Yara_rules/blob/master/javali_trojan) [Pedro Tavares](https://seguranca-informatica.pt/author/pipocaz/) ----- **[Pedro Tavares is a professional in the field of information security working as an Ethical](https://www.linkedin.com/in/sirpedrotavares/)** Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog segurancainformatica.pt. In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources [Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that](https://feed.seguranca-informatica.pt/) compiles phishing and malware campaigns targeting Portuguese citizens. [Read more here.](https://seguranca-informatica.pt/contacto/) -----