Trojan Attack Targets Major Banks in Chile

Vicious malware
Share Button

A vicious malware attack spread to nine of the biggest banks in Chile last month. At least 854 machines were impacted by this attack. The first attack’s transmission began with an email campaign that directly impersonated the Colegio de Abogados de Chile, a Chilean law school. However, new evidence shows it could be related it to a spoofing campaign targeting the Chilean police. Attackers sought to infect the highest possible number of users. To achieve that goal, attackers wrote generic copy and used a basic email header in hopes of tricking as many victims as possible. The emails simply referred to a legal claim regarding outstanding debts or a legal subpoena that asked users to download an external document with the details of the case.

Here are the screenshots of the malicious messages:

Vicious malware

Vicious malware

Our research team was able to analyze the Trojan components to better understand this specific attack. Below are the various stages of the attack.

Stage 1

The downloaded documents in question include a JavaScript entitled “DESCAGARGAR_deudaspendientesPDF000202016.js” or “Vea_Aqui_Su_citacion_2017.js”. This name clearly indicates the attackers’ intention to hide its true nature, using specific words such as “PDF” inside the title and also obfuscating its contents (see script below).

Vicious malware

The purpose of this script is to download a copy of the 7-zip software and the compressed payload (password protected). Once said content has been downloaded, the malicious payload is decompressed using a password obscured in the script’s body. The decompressed files are saved in the path “C:\Users\{USER}\AppData\Local\” for their later activation.

Vicious malware
URL extracted from the malicious file and used for downloading a copy of 7-zip

Stage 2

The contents that were downloaded and executed during the first stage of the attack corresponded to a file compiled on Dec. 19, 2016. This is the same day the massive transmission of malicious files via email began spoofing the Colegio de Abogados de Chile.

Among the main characteristics of the malicious executable, we found:

  • Automatic execution when Windows starts.
  • Registration of the infected machine on the C&C. The information sent contains the infected machine’s user, IP address, malware version, operating system, firewall (or lack thereof), additional plugins, antivirus software and time of registration.
Vicious malware
Network traffic during the registration of an infected machine on the C&C
  • Continuous communication of the infected machine to port 8350 of a remote server. This server verifies the information of the infected machine and, if needed, updates the threat installed on the device.
  • Verification of any web browsers installed on the machine.

When analyzing the contents of the executable file, we were able to extract graphic evidence that links the attack with affected financial entities in Chile.

Once the user accessed the transactional website, the attackers tricked the user by displaying a series of well-designed windows that delivered false information about a security update. During this fictional update, and depending on the institution, users were asked to provide sensitive information, including passwords, grid card values, token codes or verification SMS passwords sent to the user’s phone, among others.

Recommendations

Industry experts agree that companies need to use a multi-layered protection approach to minimize the impact of attacks. Here are some best practices:

  • Having access to a security operations center (SOC) that monitors and analyzes threats in social media, emails and web channels. It should also analyze malware samples and automatically initiate take-down on C&C URLs found in those samples.
  • Provide desktop protection for end-users that blocks communication from malicious URLs.
  • Implement a robust email authentication protocol that blocks unauthorized emails before messages reach employees or clients, such as DMARC.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *