Security experts from Cisco reported that a banking Trojan spam campaign has been exploiting a legitimate VMware binary to trick security programs into allowing malicious binaries to load.
According to the researchers, the campaign tries hard to remain stealthy by using various methods of re-direction when infecting the users’ computers.
Apart from the above-mentioned, the hackers use different anti-analysis methods, while employing a final payload written in Delphi.
The attacks are focused on Brazilian PC users mainly, starting with malicious spam emails, featuring messages written in Portuguese.
The hackers are also trying to trick the victims to open a malicious HTML attachment which is disguised as a Boleto invoice.
The malicious HTML file includes a URL, which redirects to a goo.gl URL shortener first, and then to a RAR archive containing a JAR file with malicious code which instals a banking Trojan.
After that, the Java code sets up the working environment of the malware and downloads additional files from a remote server.
Then, the Java code renames the downloaded binaries and executes a legitimate binary from VMware, which is signed with a VMware digital signature.
By loading the legitimate binary, the hackers try tricking the security software into trusting the libraries it would load.
However, one of these libraries is a malicious file called vmwarebase.dll, which is meant to inject and execute code in explorer.exe or notepad.exe.
The main module of the banking Trojan was created to terminate the processes of analysis tools and create an autostart registry key.
In addition, the module gets the title of the window in the users’ foreground, being able to identify if any of the windows pertains to a targeted financial institution located in Brazil.
After that, the Trojan uses web injects to make users reveal their login credentials.
Security experts say that the other binary the main module loads is packed using Themida, which makes their analysis very difficult.
Besides, the researchers noticed that the malware was sending specific strings to the command and control server every time an action was performed on the infected system.
“Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis,” the Cisco experts say.
