By Alexandre Siviero (updated April 29) - This is an analysis of a Brazilian banking malware first seen in 2017, called Ousaban, or Javali. There is an ongoing campaign that spreads this malware by phishing for electronic invoices. Once established on the victim's machine, this malware lies dormant until the user accesses payment services in the browser, such as Mercado Pago. At that point it connects to a control server to steal credentials and payment data.
Phishing with electronic invoices
We've observed an ongoing campaign over the last month with emails whose sender poses as a generic city hall that is sending out electronic invoices. The phishing directs the user to an MSI installer that contains a malicious routine to infect machines with the Brazilian banking malware Ousaban/Javali.
In this report, we will demonstrate how the MSI file was analyzed in order to identify and deobfuscate the malicious code for downloading and executing this malware.
The campaign starts with a phishing scam with the sender name "Prefeitura Municipal". Its subject line follows the pattern "✅ Emissao de NF-e Pedido: (82234018574) Nota Fiscal Eletronica - 12/04/2022", where the order number and date vary. An example of the message content is provided in the image below.
The target's name has been removed, but not the CPF. All the messages allude to the Cadastro de Pessoa Física, but without mentioning any document number. The hyperlinks suggest that the note mentioned is available in two formats. In reality, both redirect you to the same page, shown below.
This address starts the download of a compressed file (.zip), which contains a Windows installer (.msi) of the same name. For the specific message we demonstrated on the previous page, both have the names hyh6728i0zbnnp rspehu.msi.zip and hyh6728i0zbnnp rspehu.msi.
There is no automatic execution of this content. The campaign depends on voluntary execution of the installer by the target.
Analyzing MSI malware
So far our bulletins have dealt with malicious scripts or executables. A Windows installation file works a little differently. You can view its contents in an unstructured way with any software that handles compressed files. The image below demonstrates the inspection of the malicious msi using 7zip.
The problem we have encountered at the moment is the lack of context for the contents of the installation file. We could continue our analysis based on the size and extension of the files it contains, but it's more useful to use software that allows us to analyze Windows installers. To do this, we used a program distributed by Microsoft itself called Orca.
Orca divides an installer into several tables, which in turn contain actions and conditions. In the image above we inspect the InstallExecuteSequence table, or installation and execution sequence. As its name suggests, it tells Windows what actions to take and in what order during the installation process. Highlighted in yellow and blue is an action with a suspicious name, sdfsdfdsfsd. To better understand what this action is all about, we'll move on to another table: CustomAction.
Again, we highlight the sdfsdfdsfsd action. This time, the Target column gives us a variable declaration. By copying all its contents into an editing tool (Notepad++), we can confirm that it is an obfuscated vbscript.
Deobfuscating the script
The first action of the script contained in sdfsdfdsfsd is the declaration of a variable, _$_89794564972389472398625984758798273489234987239847973423, which is referenced several times throughout the code. The image below highlights it in green to demonstrate its recurrence:
This variable contains 50 hexadecimal strings, which are referenced in the code according to their position. This is an extremely simple obfuscation, which can be undone simply by replacing the position references with the corresponding strings, converted from hexadecimal to ascii. Applying this to the image above, we get a relatively simple code:
Right away we find a new IOC, the address april140420022xx.s3.sa-east-1.amazonaws[.]com/gmtax2020. This address contains a compressed, password-protected file, which is given a random name during script execution. Another routine later on is responsible for extracting it:
We have a few points of interest to address in the image above. Let's start with a new URL, april140420022xx.s3.sa-east-1.amazonaws[.]com/polarRIT. This is passed to the downyJr function (all these names are original to the script; perhaps its author likes Iron Man), which is responsible for downloading the contents of the page. The second argument passed to this function is the random generation of characters, followed by the .exe extension . From this, we conclude that the content of this address is an executable.
The oShell.run line gives the clue as to which executable this is, by means of the x, -o and -p flags. This is 7zip. The -p flag is responsible for providing a password for extracting a protected file. The variable that carries this password has been highlighted in green: 123456ze.
The script completes its routine by extracting the password-protected file, renaming one of its components (Isname.name) to a randomly generated executable and calling its execution. Finally, it sends a GET request to an Azure URL, secffnb.westcentralus.cloudapp.azure[.]com/gmix/samper[.]php, (possibly warning of a successful infection).
Ousaban/Javali
When manually extracting the password-protected file, we came across a technique that seeks to subvert the analysis of files by antivirus tools, as well as their submission to cloud services: artificially inflating the size of a file to exaggerated levels. This is visible in EDSDK.dll, which is around 785 MB in size. Most of the file is filled with zeros and after removing these empty spaces, it shrinks to just 1.2 MB in size.
The Ousaban malware family (also called Boar by Kaspersky) has a tradition of protecting its malicious DLLs with absurd file sizes and executing them through DLL hijacking in legitimate, signed software. In July 2020, Kaspersky observed this behavior with what appeared to be Nvidia Display software. In this 2022 version, the group uses a program called Photo On Web:
After the DLL injection, the compromised software starts communicating with the malware's command and control server(20.226.67.9). It's interesting to note that this communication takes place in Portuguese, as shown by the network logs we collected:
Sent to C2:
# C o n v i t R C # < # > W i n d o w s 7 P r o f e s s i o n a l < # > U S E R - P C < # > N a o < # > A m s t e r d a m N o r t h H o l l a n d
Received:
# S o c k e t M a i n # < # > 2 9 4 9 8 1 0 # U p l o a d F i l e # # O N - L I N E #
Sent:
# s t r P i n g O k # # R E C E B E N D O # < # > U S E R - P C
The demo above shows a command to upload a file to the compromised machine. If this action does not complete, a warning is sent to C2:
# s t r P i n g O k # # P L U G I N # < # > N a o # C O M P L E T O U # < # > U S E R - P C
In addition to communicating with its drivers, the hijacked application also creates persistence through the Windows registry by entering HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN with the key "[STRING ALEATORIA].exe" -no-startup-window -win-session-start /prefetch:5.
The UploadFile command is responsible for downloading a new legitimate and signed executable, which will also be the target of DLL hijacking. We observed this behavior with the software Picasa.exe (Google) and Graphic Workshop Professional (Alchemy Mindworks). As with Photo On Web, the executables are given random names and the malicious DLLs are inflated in size to around 780MB.
This new application is executed and remains "dormant", without performing any action. As soon as the user of the infected machine opens their browser and accesses a website targeted by the malware, the process establishes a new connection with the control server and starts communicating via HTTPS. We note that in the act of establishing this connection, more data about the infected machine is sent to the controllers. An example is the string below:
Sem antivirus#strPingOk##Convite##ConvitRC#<#>#UploadFile##SocketMain##RECEBENDO#<#>#ON-LINE#
We have also identified that the malware retrieves its initial settings from an address that alludes to a law firm, adsadvogados[.]com/juridico/. All the configuration files in this directory (which is open to the Internet) date from April 13, 2022. An example of configuration file content is provided below:
start{
"host":"B0A091EA79EC7AEF4AE64DB5",
"port":"0000"
} end
We haven't yet found all the addresses responsible for "waking up" the malware during internet browsing, but we have confirmed that accessing the Mercado Pago website is one of the ways to trigger connections to the control server. This association had been observed by Kaspersky in 2020 (according to the report cited at the beginning of this item) and our analysis has shown that it persists in these 2022 samples.
We also observed a behavior that seems to happen when the address of the control server is not available. In these circumstances, Photo On Web is closed and reopened in a loop, without a connection being established with the destination controlled by the Ousaban operators. This situation was repeated a few times during our investigation.
It's interesting to note that in situations where the connection to C2 failed, no key was created in the registry as a form of persistence. It is possible that this unavailability compromised the infection of the target machine.
Income tax refunds are also a lure
Another scam detected with Ousaban uses income tax as bait to lure unsuspecting victims. This is a case that requires more attention, since we are in the period of declaration of the document (deadline for submission is May 31, 2022), so an attack can more easily hide between legitimate communications. An example of this variant shows how the "workings" are very similar: an email that looks official, but turns out to be suspicious with a closer look, and a link that redirects to a fake website, as the images show:
Prevention
As this is a scam that requires the victim to click on the link, there is no single solution to avoid it, but rather a series of good practices. The key is to pay attention to the signs: whether they are addresses that sound suspicious and/or random, or invoices for purchases you don't remember making.
If the e-mail indicates that the content to be downloaded is a PDF, for example, and what actually appears in the downloads is not, this is an attack (as in the two cases above, where what is seen is a folder in .zip format, and no invoice).
When in doubt, it's always best to consult an official source to make sure. The work will be greater, but it will be worth it to avoid what can be a tremendous headache.
IOCs (electronic invoices)
URLs
http://ip-72-167-45-95.ip.secureserver.net/.idfiscal/?hash=
https://pdf-nfe82234018756.northcentralus.cloudapp.azure.com/idcupom/?hash=
april140420022xx.s3.sa-east-1.amazonaws[.]com/gmtax2020
april140420022xx.s3.sa-east-1.amazonaws[.]com/polarRIT
secffnb.westcentralus.cloudapp.azure[.]com/gmix/samper[.]php
ip-api.com
adsadvogados[.]com
adsadvogados[.]com/juridico/
adsadvogados[.]com/juridico/geo1.txt
adsadvogados[.]com/juridico/geo.txt
adsadvogados[.]com/juridico/reuniao.txt
adsadvogados[.]com/juridico/sh.txt
adsadvogados[.]com/juridico/sh1.txt
IP addresses
20.226.67.9 (C2)
20.231.51.105
E-mail phishing
root@marf5.notasonlinevmbc.org
40.114.206.69
Artifacts
Compressed installer (hyh6728i0zbnnp rspehu.msi.zip):
B6BFFF299048888CECF4985E3546C7DA70EB0C33BE24456FEAC7D4BE58B1DEB2
Post-extraction installer (hyh6728i0zbnnp rspehu.msi):
9091A791B900C6B7398B38B4641EDFF93036F83A36E1244594D5ECFD664B9931
Password compressed files:
0B36DE4D494A750AA46E2C2EE60B515B30E5A86BEB9DE8142DAD54AA79361EFF
86A92468CCF83EC66FCCB5C7DDD8CC7C7CED1BA9F79DDD3515175085484E3838
Photo On Web version:
4ED66AD6E2CA374221ED660177521DC2C4DB9492A048C52410931B86A66CC837
Inflated DLL (EDSDK.dll)
0082CB5F94FA2E9E0010439A06CC022481B92DBD569DED0DDC73DBF7E8EE3507
Picasa version:
ABBF57F0882021EBCC31AA2B1C9303CA083B609E44CC8F50D387BD68F7B50634
Graphic Workshop Professional version:
A2E2DC14BE9EA407BEAFE99762F2C0193EB554135C0D8AA5249DE47403754483
Messages exchanged between malware and C2:
# P R I N C I P A L #
# C o n v i t e # # S o c k e t M a i n # < # > [NÚMERO]
# C o n v i t R C # < # > [SISTEMA OPERACIONAL] < # > [NOME DA MÁQUINA] < # > N a o < # > [CIDADE E PAÍS]
# S o c k e t M a i n # < # > [NÚMERO] # U p l o a d F i l e # # O N - L I N E #
# s t r P i n g O k # # R E C E B E N D O # < # > U S E R - P C
# s t r P i n g O k # # P L U G I N # < # > N a o # C O M P L E T O U # < # > U S E R - P C
No antivirus
#strPingOk#
#strCmd#
Persistence:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
IOCs (income tax)
root@ipos6.notasfrias.]org (20.114.251.]33)
ip-92-205-18-61.ip.]secureserver.]net/.idrec/?hash=
restituicaodevalores-irf.canadaeast].cloudapp.azure.com
hxxp://isfactorytox.]duckdns.]org/gg/gmptx secffnb.westcentralus[.cloudapp.azure.com/gamermix/play.php
Configs
abcadvogados.]com/g/WWA tmjdrinks.]com/geo/drinks.txt
C2: 20.]226.]99.72:59613
Emulations and analysis
https://tria.ge/220427-smn83se
References
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://rvsec0n.wordpress.com/2020/02/22/msi-malware-analysis/
https://twitter.com/dodo_sec/status/1513920321707024386
https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe
https://app.any.run/tasks/77d32721-dcf5-4e79-b04d-e26b0b54a935