Researchers from Tempest’s Threat Intelligence team have detected a new phishing campaign targeting Facebook users in Brazil and Mexico. In the campaign, sponsored ads offered discount coupons for a large fast-food chain in order to spread a malware which, according to the research, is divided into three modules: a file capture and credential theft module, a malicious extension to Google Chrome and a Remote Administration Tool (RAT), used for screen overlay to commit bank fraud.

Next, we’ll look at the details and methods used in this campaign.

Campaign Analysis

Phishing

In the scam, which would have made more than 10,000 victims, a sponsored ad (link imagem 1) offers discounts on products. To get discounts, one has to click a link to a website where the coupons are. The website is a malicious page containing a series of seemingly official coupons. On the page, the victim is prompted to click a button to supposedly download the coupons. By clicking the button, a compressed file (containing two files, with the extensions .msi and .exe) is downloaded to the victim’s computer.

By running the .msi file (through msiexec.exe — Windows Installer Component) a Visual Basic script (VBScript) is triggered, which, in turn, will trigger the following actions:

• Download other script files;
• Download and unzip a file containing the malicious extension for Google Chrome;
• Modify Chrome shortcuts from scripts to run the malicious extension;
• Start the RAT infection process.

VBScripts execution and RAT installation

The first VBScript (contained in the .msi extension file) runs a sequence of obfuscated codes, culminating in the download of a new VBScript on the computer. In all, six distinct routines were identified in the process. It is speculated that this is done in order to hinder the work of analysis and also as a method of evasion from antivirus programs.

The new VBScript downloads the .zip file containing the malicious Chrome extension and the commands that modify the browser shortcuts on the victim’s computer. These commands will cause the browser to load the malicious extension at runtime, which guarantees its persistence in Chrome even if it is removed by the victim.

Concomitantly, the computer is infected by the Overlay RAT; however, this infection will only be performed if the language configured on the computer is Portuguese, and if it is not a virtual machine (VM).

Post infection and data theft

After completing the entire infection process, the malware searches the entire operating system for user and password data from email and FTP clients. If identified, this data is obfuscated and sent to a C&C server.

Several C&C servers were identified by the research. Through them, researchers found data that included email client contact lists, Gmail contact lists, HTML pages, email credentials (usernames and passwords), and password lists with apparent origin at the Google Password Manager — later it was possible to confirm that cookie data and Google Chrome’s “LoginData” (SQLite database that saves all user and password information saved in the browser) were in the campaign target. It is noteworthy that “LoginData” data is encrypted, but the author of the malware was able to decrypt it, transforming it into clear text.

Researchers have identified that each type of captured data is cataloged and separated into files containing identification codes. So far the following codes have been identified:

* HJ — LoginData Chrome *

* HK — Contact List (emails only) *

* HY — Errors reading Chrome database *

Malware analysis made it possible to verify the existence of a mathematical pattern in the obfuscation processes involved in sending data to the C2 server. This way, researchers were able to create a script to unscramble all information captured and sent by the artifact.

Malicious Chrome Extension

The malicious Chrome extension is able to capture and modify data from any site accessed by the browser. Its specific feature, however, is to modify payment slips identified in the browser tabs.

Once the extension identifies a payment slip on a page, it captures and sends it to a C2 where it is modified, and sent back via POST. All this data, both in the request and in the response, is obfuscated.

RAT module

The final module of the malware is a Remote Acces Trojan which is able to perform page overlays for four Brazilian banks.

A DLL (which is imported as soon as the malware is run at operating system startup) has been identified by the researchers as containing the screens used in the overlay process.

IOCs

URLs

mcdonalds[.]promoscupom[.]ml

contadorrebol4-com[.]umbler[.]net

areavip[.]tk

areavip[.]tv

mcdonalds[.]promoscupom[.]cf

www[.]tu-cupon[.]com

tucupon[.]tk

Servers

51.75.95.179

40.121.5.174

18.229.131.184

mexico003[.]ml

mexico003[.]tk

mex002[.]tk

mex002[.]gq

mex002[.]ga

iquksjpablukduwt1[.]tk

fkkavtwfilvpkl2[.]ml

vvcniayccmr3[.]ga

rinlircavgcronx4[.]cf

elbkbbmdmrrg5[.]gq

mqrflkgxinxdgr6[.]tk

yyxfkpffhvo7[.]ml

tjcpccfddsxbr8[.]ga

oupypirjyrqgtlgt9[.]cf

qnpkocplwiyyjaid10[.]gq

yerhqyfrtcyruj11[.]tk

ygwompuaqdfr1[.].ml

qhenujpqooidc13[.]ga

lfxfmphkmal14[.]cf

eaisoxmsvntyvgvk15[.]gq

ukjbwwxifxdutc16[.]tk

skefjkokgpiatfn1[.]ml

yiwmbfddtxltb18[.]ga

rocgjkixhhpiajn19[.]cf

kpsifdyjhkufct20[.]gq

udgetbnvebfhp21[.]tk

rdxabyfohrdh22[.]ml

ovbmiebdqduws23[.]ga

qcotohinmciilh24[.]cf

wcxfejvmdsani25[.]gq

edbxublfkvatmww26[.]tk

psublaugrwdehpih27[.]ml

mibjdulwddkq28[.]ga

bmcmontgtqobq29[.]cf

wdxmkoqgqoh30[.]gq

mmttmiubtvmhok31[.]tk

ntmludavsamydq32[.]ml

sxpaavkkbbyjpdow33[.]ga

xjnkmyprutswjjd34[.]cf

nmrxhhfphiwpd35[.]gq

jvqhflyubweqan36[.]tk

txbnciwpqudbqprp37[.]ml

jhpbostqvxmy38[.]ga

uvwgoaeniuiuf39[.]cf

cbubhrbodjn40[.]gq

wgybeleosem41[.]tk

grvtxkisbyn42[.]ml

qdohpefsnxg43[.]ga

cuuoisoopdebh44[.]cf

uleqbpbnpmjlk45[.]gq

cityrnlotdcnhy46[.]tk

ubhxmjmesiv47[.]ml

velsqnhnbicn48[.]ga

dootdcuydwuiwi49[.]cf

shedxlgaekhiu50[.]gq

ecpmkbfqfhfctl51[.]tk

diaduodhiuh52[.]ml

tlvsgwudxbxpfaww53[.]ga

buauanotgpnwvqdd54[.]cf

tsmpbqpyyrxvb55[.]gq

jjshxdmaalgbtxhd56[.]tk

jpfpbtxqsieryj57[.]ml

hbudtuxmkofi58[.]ga

mrqrdrbhhpwexn59[.]cf

clmbkxslunmkwyy60[.]gq

mthhpdinkqtskio61[.]tk

wpftxqsaeryj62[.]ml

Files

Filename: Binary.fgak8ktkkyo7q3xl5.vbs

MD5: fc9b0cfc56dfe1de05e17e907555ae22

Sha1: 3b7aa37129c6fcb91a5e9b6141589e0da5c88a4f

Sha256: 344f88b12b3d0cb8649a58428cd7e9d8ca37ac380a92e7673fabee724d23fc44

Filename: Cupom_MJ738J3JS.msi

MD5: 25eb88342a0492fc342b1b0d12925e96

Sha1: 3662723aff984bf76e306b8eb9be6418bd02f666

Sha256: 1525be6d2587acc232832241c14ee154579c89a1bbd0ea138a12bd0ab54c6ef3

Filename: Cupom_MJ738J3JS.zip

MD5: 49b6625ae11c6d6579ed358acd51adcb

Sha1: c4daeaeca119b5f56a0bfbb2232967f7c40ad006

Sha256: a1c2810a98789cee93d2b306c863d24f0cb47d85b37e1a8b2491e9a62f6063a8

Filename: fvcgTL.zip

MD5: a376e397d3d24c053b304efe12bef22b

Sha1: aada56c5de0618e7da8bfeb632f1fc0f68eb84f0

Sha256: 9dbc72a8ab9549812ff38fe12336d16fa10c614c3eb26df613e9a71376b82216

Filename: ky419.zip

MD5: 913673c19cb73cab4ebe9b156cc3a943

Sha1: 4b68ed8670293607b793895cf00acaaadff11ae8

Sha256: a839e7f5cdfd75eeb0147ccb44e251e320bf52b698080433bee02cac272a8888

Filename: MImpZ.vbs

MD5: c6b0a821f0c2656f2f8903b82bcef1c5

Sha1: 35e5689728d1a1dbb6974c8b67782ac4e1299d5b

Sha256: 638be4d5a470fb8581e0eceee1999ce2b972f16042b5c76d9bd01f104eaf205a

Filename: OgawC142.zip

MD5: b2099d3b4ee91b93e007349e6b773273

Sha1: 8e9b00025ae466bf95848f36784132d8d0cd56ab

Sha256: a34b0e5de20abfa64e520f8df6dd61c4b7f417cf24c57ca4130a6725238d6478

Filename: oois7yl1w.zip

MD5: d120778ef82f5432216fc931be3c4ba7

Sha1: 514e05b08616086205cdd83267d674d421a7d033

Sha256: 30c6c25555a0573690d60334141cb7339be91de16a547f8f288b407032da2929

Filename: pk6pf2x6s4a1xn.zip

MD5: 2ea13aa1eb17dc9baa3ed175cdfaa15b

Sha1: 847a111a87af203f4ad75cfeff01875d4a761323

Sha256: b001ff0c904fc2506bfb56269060570c442888dd84a56b8ca874d7ed41a1d1b4

Filename: at2/at23.js

Md5: 9f0fa7cc3f6d3c3b5d5136613cfee4a9

Sha1: 0b7221a3845a66ab3a7f35c4f6475fd0743119f0

Sha256: 528ca8e0f620d2899255158661d065b9612e1783e0e20f0b8411dce430726d7f

Filename: at2/at24.js

Md5: 572f1c06b8004d560d8817570584112a

Sha1: 61cde2b9c0d663c34f994de81020ea1841ac5433

Sha256: e0612e763841eda3f75690a457f952e43fdb2bce3d9bcac09177f1de62faede3

Filename: at2/eventPage.js

Md5: d41d8cd98f00b204e9800998ecf8427e

Sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709

Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Filename: at2/jquery-3.1.1.min.js

Md5: e071abda8fe61194711cfc2ab99fe104

Sha1: f647a6d37dc4ca055ced3cf64bbc1f490070acba

Sha256: 85556761a8800d14ced8fcd41a6b8b26bf012d44a318866c0d81a62092efd9bf

Filename: at2/manifest.json

Md5: e9fb6decb5b4569177b1ce166fb151d3

Sha1: 828fa1b2d3733846ea9c9cc195beb8be6d9756bb

Sha256: 6ce8d3306cf0b504de0571bfea3fabe08061379a01ef6fbaad3021243a7f35b0

Filename: OgawC142/eventPage.js

Md5: d41d8cd98f00b204e9800998ecf8427e

Sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709

Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Filename: OgawC142/GvpqXN.js

Md5: 37ff95b74df1c86dfff51650d39a3783

Sha1: a6b5528726c7ff3f4b55194baf19347e93e158de

Sha256: e52b8806a78db9f69d1c19e1b38ef4db133b3e42220bd49839d1c705b707c69b

Filename: OgawC142/jquery-3.1.1.min.js

Md5: e071abda8fe61194711cfc2ab99fe104

Sha1: f647a6d37dc4ca055ced3cf64bbc1f490070acba

Sha256: 85556761a8800d14ced8fcd41a6b8b26bf012d44a318866c0d81a62092efd9bf

Filename: OgawC142/manifest.json

Md5: 15a10b06da1d05afcf2abdee82c99a08

Sha1: 5f7b221485291ef49ded3a2fc1f54f4eb025d597

Sha256: 0e93f8ac443cfb3306eeb149d3881f8eebdafc7c669795e41b444d4c792d36d8

Filename: OgawC142/VnBeAv.js

Md5: b8a51bd551d1b4a2b88310e5d3a2a665

Sha1: e11a17b1f76ccc6db36896fb133e6db833215ad1

Sha256: ee311315b364dbed3ebdc539f272afc487943a8be4500aef26a1a25429517119

Filename: oois7yl1w/ecy.dll

Md5: 95b2f86dee18e2883ee1429ef2f1a734

Sha1: c957732b11181ab13dc27943ed5f2f65d047a4f8

Sha256: 0dbd022a78a38ca67ee56551d72e3c92c0f728943fef4ab76b65e1fc73837a56

Filename: oois7yl1w/hfyhbiu.dll

Md5: 8818909bfbc9d427a31fbd12c7a2157e

Sha1: 5b228f099b167a190c8fe280efcb47a9cae1fab9

Sha256: a857a813390b7d1e81ca9b1929c0b2031fd13bd8f7bb8444aea3ea3f5461be67

Filename: oois7yl1w/kqvwo1mhrg.dat

Md5: 1b949adf1316001a392e19416e073bc5

Sha1: c1726c441eea972f6f79f8c2aba1838fb9680d30

Sha256: 0213cbb44603c42667abdbd6300e9352201fbb0a71d11908495398fee9eb76c5

Filename: oois7yl1w/ky3ubl.dll

Md5: 061440d1c00a4d78cea1cbd1701afb5d

Sha1: a6303d49222490333ee6e7ecf721fa06218961b2

Sha256: 9622e80bec193c49038ff70e1db7a11592d4282a9f0089a03ce69889f839dd8f

Filename: oois7yl1w/lgfm2w8.dll

Md5: f3f571288cde445881102e385bf3471f

Sha1: d3222d7f6d97b0a8e144760151782e0721f18ded

Sha256: a6bd9fd8e9d1dba14334db442b7fd6bb06f58201db720a7aa006530f76fc26eb

Filename: oois7yl1w/libeay32.dll

Md5: de484d5dafe3c1208da6e24af40e0a97

Sha1: 3e27b636863fefd991c57e8f4657aded333292e1

Sha256: 007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

Filename: oois7yl1w/ltqd7iy4.dll

Md5: 3a44b86aadcce51f87e28aae98e58f16

Sha1: b08ff9dd23bf1d38db2fb04c1ecf8b0e4844c6bc

Sha256: 8c17300d9d05ffe05ced7cc35e62d7e86a9b7534386cf7bd6a9151cb321beb8e

Filename: oois7yl1w/o2gd3fq6hm.exe

Md5: c648901695e275c8f2ad04b687a68ce2

Sha1: 892503b20247b341cfd20dda5fdacfa41527a087

Sha256: 3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670

Filename: oois7yl1w/ssleay32.dll

Md5: 284e004b654306f8db1a63cff0e73d91

Sha1: 7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

Sha256: 2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

Filename: oois7yl1w/t5wyfwne8b8k4.dll

Md5: cde01c58778c9a3b26f3e3f2689f6614

Sha1: 2009aa23f15ea6e8e0d11e439bc7e2469da77f84

Sha256: 24456d429b721a6ebed691de24473d38e1608a50ceb8e8b970263670cd2aa89a

Filename: oois7yl1w/winx86.dll

Md5: 87f9e5a6318ac1ec5ee05aa94a919d7a

Sha1: 7a9956e8de89603dba99772da29493d3fd0fe37d

Sha256: 7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

Filename: pk6pf2x6s4a1xn/alsirwny5.dll

Md5: 824cd16f3c5db6a8ad0f314a8dff0c2e

Sha1: 84a54737a6c7222f02726fe3cc8cc9efa1df2d51

Sha256: 2f373cb24511ca1a1035bc94d4da28329814b9c2573d16f2a06319933eab8447

Filename: pk6pf2x6s4a1xn/bxyhmkl.dll

Md5: 50ce27d2a396e14300a2524e2ec8b982

Sha1: fa23428ac04a14b18ae46b71bc4bcae2636e6f57

Sha256: 4afa84efec6dbe05804216dc5ff716e5eb0e7fe95fd29709b3e8e7821787b3ed

Filename: pk6pf2x6s4a1xn/lxpvcq.dll

Md5: 866d9af9277e7928830454f76b12539d

Sha1: cad44533d3c3996e56c6125caf465ea7809a7b31

Sha256: 6c79b4be1b63b349015404ba3ce25c4cecfa679374ec269623c8ce949c42b656

Filename: pk6pf2x6s4a1xn/rmkqemobm.exe

Md5: 85409467e4bbd807309bce052a86e8ad

Sha1: e21a5f1d1ba0b52b0ab4ac55a588af68f6f60f8a

Sha256: 384294ef6760f53b7b2c9c5ff79a0db96b5ae7ac9f8848d188a6959b1b4011e1

Filename: pk6pf2x6s4a1xn/xld.dll

Md5: 961d95d29acee4291dfdbbcb7851895c

Sha1: d33228b6c0ddf6c5b9bac69cb148e2b7ff9eb742

Sha256: a4377478ff1dd7e85516187b9cf09d514e2656349991e138ed957b8725b17938