By Threat Intelligence Team
Last week, Tempest’s Threat Intelligence team identified the spread of the Vadokrist banking trojan through a spear phishing campaign that uses Pix (Brazilian Instant Payment System) as its motto. The threat, which targets customers of major Brazilian banks, uses the DLL Injection technique in its infection process and relies on the GitHub platform to host and query information necessary for the operation of the campaign.
Distribution of the threat
Taking advantage of the popularization of Pix, the operators initiate the distribution of the trojan through a spear phishing campaign that tries to persuade the user to download and execute an attached ZIP file with the promise of protecting the computer against fraud and improper payments. To give more credibility to the social engineering applied to the emails, the operators previously compromised some legitimate domains and made use of the Email Spoofing technique, as well as using newly created domains using the .com.br TLD referencing Pix.
Infection, persistence and command & control
After the infection, the threat remains in “standby mode” waiting for the victim to access the web page of some banking institution that is part of its target list. When this access is identified, communication with C2 is established and the malware waits for the victim to enter the credentials, then captures, and sends them to the server. Besides banking credentials, the Trojan also sends information about the infected machine, such as the version of the operating system, the web browser, the malware that has hit the system, and other things.
To analyze the behavior of Vadokrist, Tempest developed a Python script to decrypt the strings of the malware. This was possible because the algorithm used to encrypt the strings is very similar to that of other Latin American malware families and, in addition, the keys needed for decryption were identified among the malware binaries. Some of the decrypted strings were IP addresses of the servers controlled by the attacker and the download URL of the last part of the threat.
Although the Vadokrist trojan is not widely reported by the specialized media, Tempest has observed a constant update in the mode of operation and in the social engineering applied to the campaigns promoted by this Trojan.
The use of the Pix subject shows the effort of the operators to reach as many victims as possible, expanding the distribution range of the threat. However, Tempest reinforces that this abuse was limited only to the spam campaign, and no processes, strings or any attempts to capture Pix keys were identified at any stage of the malware’s execution.
This new version uses robust obfuscation methods to protect its settings and makes use of a public platform such as GitHub to store, in the form of encrypted strings, the information needed to run the campaign.
Although Vadokrist is aimed at targets in Brazil, Tempest believes that this may become more widespread in future updates, since this Trojan shares many similarities with other malware families targeting Latin America.
E-mails utilizados no spam
Filename: Keys Recorder15.ZIP
Filename: MacroRecorder.exe (Binário legítimo)