By Caíque Barqueta: Reboleto or KL Reboleto is a software program designed to intercept all emails received by an account.

After the interception, the cybercriminal will be able to alter the data contained in an attached PDF, the main focus of which will be bank slips, often leading to the payment of fake slips.

It is advertised and sold on clandestine forums and in chats such as Telegram.

The tool had already been widely publicized for a few years, and there are even videos published on the web by cybercriminals promoting it, with the aim of attracting buyers to use the tool in online scams.

According to the ads, it is possible to register e-mail accounts and passwords used by the criminals in order to intercept their e-mails. In the example below, 352 emails accessed by the criminal were tested for interception.

Later, in the 2020 version, criminals could intercept emails with specific subjects, such as "boleto attached; boleto; duplicatas" among others, as well as the location (folder) of the email.

After monitoring, emails containing some of these words would be identified and could be read or not by users.

The criminal could open the contents of the e-mail and have access to the data in the body of the e-mail and the attachment that was forwarded to the owner.

Next, the criminal could change the data related to the boleto using a PDF editor, and after editing, the new file would be added to the intercepted e-mail and sent normally to the user, which is how Reboleto works.

Technical analysis of Reboleto v.1.2 and v.1.4

ISH Tecnologia's intelligence team gained access to the Reboleto tool used by criminals in versions 1.2 and 1.4, which have the following screens:

For analysis purposes, we will compare the functions used, strings that can be identified, their behavior and any other details that may be useful for the investigation.

Version 1.2 of Reboleto uses the name "MailFinder.exe" and was compiled on 09/10/2019, at 15:30:33 hours, using the Delphi language.

It was also found that this executable had a high entropy index, which was possibly identified due to the high entropy rate in the .reloc and .rsrc sections .

As for its appearance, it was possible to see that the developer of the malicious tool probably watches the cartoon "One Piece", since he used its .ico for the software.

 Version 1.4 of Reboleto uses the name "MailFinder.exe" and was compiled on 30/01/2020, at 19:11:10 hours, using the Delphi language.

After checking the identification of the artifact via entropy, it was possible to conclude that it has a high level of entropy, confirming the high value in the .reloc and .rsrc sections .

In this version, the icon used for the software is different compared to the tool in version 1.2. Compared to the functions used by the artifacts, we can say that they have the same functions as those imported in versions 1.2 and 1.4.

Since it is not in the interest of this analysis to reverse engineer the functions and other details of the software, we carried out the execution of the artifacts by testing the available functions and their operation.

In terms of how it works, it can be seen that this is the same functionality as previously presented, since the main purpose of this tool is for the criminal to provide the login credentials for accessing email accounts, by means of a username and password, as well as the email host and port used.

The cybercriminal only needs to register the name, password, host used, port and TLS (if any), save it in a .txt file and import it into the tool .

In the example below, test e-mails have been imported and it has been verified that, among those used, there is a valid e-mail that can be intercepted.

After logging in, you can see that monitoring will begin in order to identify emails from the validated account.

To test the tool, a test e-mail was sent with a PDF file attached, containing terms in the subject line such as "Boleto Payment; Forwarding Boleto" to check whether the tool used by the criminals is effective.

The boleto that was initially sent to the same e-mail address used in the test is not in the web version's inbox.

In the tool, once the e-mail has arrived, an alert is issued showing the e-mail'sstatus and where it is (folder).

The cybercriminal will be able to open the email in order to identify the body of the email and details such as the attached PDF document.

The criminal will then be able to edit the PDF document. As an editor, the tool runs Foxit PDF Editor, which has the function of editing PDF documents. Below is version 1 of the document sent via PDF.

Then, after saving the file, it will be automatically attached to the intercepted e-mail, and you can then use the "Upload Message" or "Schedule" function to send it to the correct recipient.

Minutes after the message has been sent, it can be seen that the recipient's inbox receives the email as normal , but with a different date and time and with the content of the PDF completely altered by the criminal.

Conclusion

From this we can conclude that, if the criminal has access to the login and password of email accounts, he validates the email host and the port used - in the cases observed, ports 993, 110 and 143 were used.

Remember that port 993 is used as the default port for IMAP with SSL/TLS encryption. IMAP allows users to access and manage their emails on a remote server.

Port 110 is the port used by POP3 without encryption, which allows users to download and store emails on a local device.

Port 143 is used for IMAP without encryption, since IMAP allows access to emails on the remote server without the use of encryption.

Finally, if you have been the victim of an electronic scam involving a boleto bancário, check your e-mail accounts to make sure that you have not accessed the account from another location, since the login is carried out by the tool, according to the log example provided by Microsoft Outlook.

Follow Reboleto's attack chain below:

ISH recommendations:

In addition to the indicators of compromise listed below by the ISH, mitigation measures may be adopted for e-mail accounts.

• Use strong and different passwords for each email account. Don't use passwords that are easy to guess, such as birthdays or common names.
• Activate two-step authentication (2FA) to add an extra layer of security to your email accounts. Two-step authentication requires you to provide an additional security code on top of your password to access your account.
• Avoid clicking on links or opening attachments from suspicious emails. This could be a phishing attempt to steal your login information or infect your computer with malware.
• Keep your antivirus and antimalware software up to date and regularly scan your computer for viruses and malware.
• Don't share your passwords or login information with other people.
• Do not use public e-mail accounts (such as free e-mail accounts provided by unknown e-mail service providers) to send confidential or private information.
• Back up your important emails regularly, as this will help prevent data loss in the event of a system failure or security problem.
• Check your e-mail privacy and security settings regularly to ensure that they are configured correctly and in accordance with your preferences.

Commitment Indicators

ISH Tecnologia handles a number of Indicators of Compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report.

Indicators of malicious artifact compromise/analyzed
md5:	9bfecb5c5d267e5e9a16e4f60b0e17b4
sha1:	438ad5e55336d4a6b810608e5d28bd513e97d7c1
sha256:	c2fc49a8b31c24723c9f49201bfe78bb1bfe87a28bfedbfac9b854c7e0d232b3

Indicators of malicious artifact compromise/analyzed
md5:	056bec8d5a54b681aa77ab12b27fabb0
sha1:	1516055e5a552fae12ffce19f60fd8205ce5abf6
sha256:	6edc1dfc162d45bc67b2fffd4f1c472a7d56dfc9daae27870cc9de94c2129848