In the last few years, many banking trojans developed by Latin American criminals have increased in volume and sophistication. Although exists a strong adoption of technologies with the goal of protecting the final user such as plugins, tokens, e-tokens, two-factor-authentication mechanisms, CHIP, PIN cards, and so on, online fraud is still on the rise and every day implementing new tactics, techniques, and procedures (TTP) to evade antivirus and Endpoint Detection & Response systems.
In this article, we will into the details of the Javali trojan banker, introduced and tracked by the Kaspersky Team, and targeting Latin American countries, including Brazil and Mexico banking and financial organizations.
Background of Latin American Trojans
Javali trojan is active since November 2017 and targets users of financial and banking organizations geolocated in Brazil and Mexico. By analyzing this piece of malware, we found that Javali is using the same routines and calls often observed on other Latin American trojans, such as Grandoreiro, URSA aka Mispadu, Lampion, Vadokrist, Amavaldo, Casbaneiro aka Metamorpho and Mekotio.
Figure 1: The most popular and dangerous Latin American trojans.
In short, part of these trojan families are using padding to enlarge the binary; empty sections or even BPM images attached as a resource as described in this article related to the Grandoreiro trojan. Other trojans use this technique as it allows to evade detection and execute the malicious code on the target machines bypassing detection based on static file signatures.
Latin American trojans share the same modus operandi and even modules and blocks of code observed during the analysis of several malware samples. The following schema is an effort to present in a single high-level diagram the workflow of the most popular Latin American trojans.
Figure 2: High-level diagram of the modus operandi of the most popular Latin American banking trojans.
The malicious activity starts with a phishing email sent to the target victims in Latin American – Brazil, Mexico, Chile, and Peru – and Europe – Spain and Portugal. The initial stage of these trojans is generally the execution of a dropper in a form of a VBS, JScript, or MSI file that downloads from the Cloud (AWS, Google, etc.) the trojan loader/injector. After this step, the trojan itself – developed in Delphi – is executed into the memory manly using the DLL side loading technique or DLL injection, creating persistence using a .lnk file on the Windows Startup folder, or adding a new key in the machine registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) with the name and path of the .lnk file to guarantee the malware is executed every time the infected machine starts.
The steps 7 and 8 from Figure 2, the malware obtains some details from the infected machine and report them to the C2 server, including the version of the Operating System (OS), architecture, the name of the installed antivirus and EDRs, computer name, and the victim’s geolocation.
From here, the malware executes a new thread when specific and hardcoded web-browsers are opened. The title of the accessed web-pages are collected and compared with the target organizations and services hardcoded and defined by crooks, generally the name of the banking portals, cryptocurrency portals, and financial firms. If these conditions match, the windows overlay process starts launching fake windows to lure victims.
More details and comparisons between several threads and used TTPs can be found below and by accessing the publication from ESET.
Figure 3: MITRE ATT&CK table illustrating the features that Latin American banking trojans share (full table and more details here).
As observed during the last few years, several threats share a lot of TTP and code, and that is a clear signal of cooperation between malicious groups.
Discovering Javali trojan banker
These days, the Javali trojan banker is one of the most popular trojan banker families in the wild. According to the Kaspersky publication:
Javali targets Portuguese- and Spanish-speaking countries, active since November 2017 and primarily focusing on the customers of financial institutions located in Brazil and Mexico
Since the details online about this threat are scarce, after a tweet of the malware hunter @JAMESWT_MHT on Twitter, we decided to go through the details of this specific trojan.
As observed in another Latin American banking trojans from Figure 3, part of the most popular trojans are disseminated using the most dangerous vehicle of threat’s proliferation: email protocol. As this protocol relies on a strong and complex “mesh” around him to catch the fish, the end-user is every time the final decision maker: open or not open the fresh email. Next, an email template used by Javali to lure victims is presented.
Figure 4: Email template used by Javali banking trojan.
The Javalis’ modus operandi is based on the workflow previously explained in Figure 2 and related to other threats such as Vadokrist, Lampion, URSA, Amavaldo, and Casbaneiro. After opening the URL distributed on the email body, a ZIP file is then downloaded from the Internet. For this, Cloud services are often used by crooks including Google, S3 Buckets from AWS, and MediaFire file sharing service. The next diagram demonstrates how Javali trojan banker works.
Figure 5: High-level diagram of Javali trojan banker.
As mentioned, in general, this trojan was developed using the same architecture of other Latin American trojans, and the main steps of the infection chain are described below and analyzed in-depth during the next sections of this article.
The Avira.exe file, a legitimate PE file from the Avira Antivirus firm, is then used as an injector to take advantage of a technique dubbed DLL side-loading and loading into the memory a huge DLL “Avira.OE.NativeCore.dll” (6) as a child of a legitimate Parent Process ID (PPID).
When executed, the Javali trojan starts its operation and immediately gets the malware configuration from doc files available on Google Cloud (7).
Next, the trojan collects information from web-browsers (8) searching for target tabs opened related to hardcoded banking/financing portals and starts the malicious overlay activity presenting fake windows to victims (9, 10, 11, 12, and 13).
MSI file – The Javali Dropper
Creation time: 2/5/2021 7:10:49 AM
Figure 6: JScript file hardcoded inside the MSI file and then executed via wscript.exe on the target machine.
After some rounds of deobfuscation, we found some interesting strings and the blocks of code responsible for creating persistence on the machine and also downloading a ZIP file from an AWS S3 bucket dropped into the User’s public folder: C:\Users\Public\Documents\random_name.
Figure 7: JScript file partially deobfuscated.
Although some parts of the code still obfuscated, we can understand the basic operation of this piece of malware by debugging it on a debugger. This is a trick valid for other Jscript files executed via wscript.exe. By debugging it and adding a breakpoint on the “ws2_32.GetAddrInfoW” call, we can observe the moment the malware downloads the next stage from the Internet (AWS S3 bucket).
Figure 8: Getting the AWS S3 bucket address by debugging the JScript payload.
The downloaded ZIP file is stored into the “C:\Users\Public\Documents” directory, inside a random folder created during the dropper execution. After that, the following files are extracted, namely:
Figure 9: Javali trojan and all the files used during the infection chain.
Persistence is achieved by creating a .lnk file in the Windows startup folder and also a registry key pointing to this .lnk file.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]created: CREATEDdevice: DISK_FILE_SYSTEMname: C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAAMKHQWFW.lnkobject: FILEoperation: CREATEstatus: 0x00000000time: 10453 ms
Figure 10: Javali trojan persistence technique (Windows startup folder + registry CurrentVersion\Run).
Javali injector – Weaponizing Avira legitimate executable
Filename: Avira.exe / rundll32.exe
Creation time: 1/25/2021 4:38:25 AM
Javali trojan takes advantage of a legitimate executable from Avira Antivirus firm to inject into the memory a malicious DLL that impersonates the legitimate DLL: Avira.OE.NativeCore.dll. This technique is known as DLL side-loading aka DLL hijacking by abusing of vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded (T1574).
As observed below, the injector is a legitimate file and with a valid digital signature from Avira Operations GmbH & Co. KG.
Figure 11: Javali uses as injector a legitimate executable from Avira antivirus.
DLL side-loading is used as the favored execution method by Latin American threat groups and 22 different binaries have been abused to load into the memory malicious code. In a publication from ESET, some products were described, including binaries from Microsoft, Oracle, several security companies, NVIDIA, VMWare, Avira, and others used as injectors in Amavaldo, Casbaneiro, Mekotio, Vadokrist, and Javali trojans.
|Microsoft Corporation CTF Loader||ctfmon.exe||MsCtfMonitor.dll; AppGetLoader.dll; CryptUI.dll|
|Microsoft Corporation OLE/COM Object Viewer||OLEView.exe||IViewers.dll|
|Microsoft ECM Certificate Manager||CertMgr.exe||CryptUI.dll|
|Microsoft Office Picture Manager||Ois.exe||MSOCF.dll|
|Java(TM) Platform SE 8 (cmd-line launcher)||jjs.exe||jli.dll|
|Java(TM) Platform SE 8 (Remote Method Invocation)||java-rmi.exe||jli.dll|
|Java(TM) Platform SE 8 (Kerberos)||kinit.exe||jli.dll|
|Avast Dump Process||avDump32.exe||Dbghelp.dll|
|AVG Dump Process||avDump32.exe||Dbghelp.dll|
|G DATA Personal Firewall||GDFwAdmin.exe||GDFwAdmin.dll|
|G DATA Security Software||AVK.exe||Avk.dll|
|COMODO Internet Security||CisTray.exe||Cmdres.dll|
|NVIDIA 3D Vision Test Application||Nvsttest.exe||D3d8.dll|
|NVIDIA Smart Maximise Helper Host||NvSmartMaxApp.exe||NvSmartMax.dll|
|VirtualBox Guest Additions Tray Application||VBoxTray.exe||Mpr.dll|
|VMware NAT Service||Vmnat.exe||Shfolder.dll|
|WinGup for Notepad++||Gup.exe||Libcurl.dll|
|Disc Soft Bus Service Pro (DAEMON Tools Pro)||DiscSoftBusService.exe||Imgengine.dl|
|Bartels Media GmbH Macro Recorder||MacroRecorder.exe||Mrkey.dll|
|Stonesoft VPN Client Service||Sgvpn.exe||Wtsapi32.dll|
|OOO Lightshot Starter Module||Lightshot.exe||Lightshot.dll|
Also, BitDefender published an article in reference to this vulnerability used by Casbaneiro aka Metamorfo trojan to execute the malware as a child of a trusted process. In fact, legitimate applications are digitally signed with an Authenticode (code-signing) certificate. This is the proof and seen as a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges.
In this way, if the User Account Control (UAC) prompts the victim that the antivirus engine wants to make changes on the system, well, users probably will not question it. On the other hand, many antivirus and Endpoint Detection & Response systems can be avoided using this vulnerability, as the injector is legitimate, code-signed, authentic, and comes from a well-known security firm – Avira.
Figure 12: Legitimate injector from Avira – digitally signed, authentic, and trusted during the injection process allowing to bypass security engines such as AV and EDR.
Avira injector – Digging into the details
There is a lot of methods to take advantage of DLL side-loading vulnerability by examining the DLL imports. Figure 13 shows the Avira.exe DLL Import Table Address (IAT) which includes the functions:
Figure 13: Calls loaded from a legitimate external DLL (Avira.OE.NativeCore.dll).
Validating the external DLLs and calls must involve more than checking for the correct filename and calls names. In this way, every time a DLL is loaded from the side-by-side directory and adjacent to the primary PE file needs to be validated for these functions. Usually, executables using the side-by-side feature will have these resources located in the embedded manifest file.
In detail, the name passed to LoadLibrary() / LoadLibraryEx() call not need specify a specific path. If a path is passed, then the library is only loaded from the specific path. Otherwise, the following Windows default DLL search order is used:
After analyzing the legitimate injector, we can see that the CreateFile() and ReadFile() functions are used to load into the memory the external DLL from the current process image file directory.
Figure 14: Avira.exe injector vulnerable to DLL side-loading attack abused by Javali trojan.
In sum, we recommend the following strategy should be kept in mind to ensure secure loading of libraries:
Final stage – Javali trojan banker
Creation time: 2/2/2021 3:47:39 AM
Code-signing (Microsoft Authenticode technology) can be used to sign the DLL, which is to attach digital signatures to the DLL to guarantee its authenticity and integrity.
By comparing the legitimate and malicious DLL, we can see that the malicious one is not signed in contrast to the legitimate one (Figure 15). Also, the External Address Table (EAT) is maintained including the two required calls that are invoked, otherwise, the injector could crash during its execution (Figure 16). Below, we can see that the “spoofed” DLL is not digitally signed, and even the size of the file is bigger than the original from Avira.
Figure 15: Malicious (spoofed) DLL without digital signature and the file was enlarged to bypass detection. Otherwise, the original DDL from the Avira firm is digitally signed.
As observed in Figure 16, the exported calls on the right-side (malicious DLL) don’t have a name – the sections’ names are empty – and the OEP is pointing to the .data section. At the first glance, this is a clear signal that something is wrong, even looking at the EAT, we can find many strange and empty sections to enlarge the DLL size.
Also, the original file name and compilation date are different between the legitimate (left-side) and the malicious DLL (right-side). Although the ordinals are different, the base calls of the legitimate DLL were maintained, and only the main calls were overwritten with the malicious code.—overwritten functions—MakeTrayIconVisibleAvira::OE::NativeCore::OeProductInfo::GetLanguage(void)const
Figure 16: Principal differences between the Legitimate DLL from Avira versus the malicious DLL.
The Javali DLL is packed and enlarged with junk – a well-known technique used by Latin American trojans such as Grandoreiro and Lampion in order to evade detection.
When executed in memory, the malware is unpacked by blocks using the virtualization code of the Enigma protector.
The unique technology which allows combining the files used by your application into a single module without loss of efficiency. This function supports all kinds of files, including dll, ocx, mp3, avi, etc. Virtual Box will protect your files and prevent them from being copied and used in third-party products.
After bypassing this initial restriction, we can see below (right-side) the Javali trojan DLL partially unpacked.
Figure 17: Javali trojan – Enigma packed DLL vs partially unpacked DLL.
The malicious DLL has a size of 570 MB in disk because it was compiled with empty sessions. When it is executed into the memory, unpacked and the empty sessions are cleaned, the library is a binary of 30 MB.
Figure 18: Unpacked DLL – 30 MB versus packed DLL – 570 MB.
Once the binary is unpacked, at this time it’s possible to obtain the images that are used during the windows overlay process. As observed below, this time the resources are unpacked and can be analyzed.
Figure 19: Packed resources vs unpacked resources.
At this point, internal capabilities and implemented TTP can be analyzed by reversing the Delphi code as well.
Figure 20: Javali trojan – Delphi forms.
Javali configuration obtained from Google Docs
Javali trojan communicates with Google Docs files to obtain its configuration, including the address of the C2 server. If it is not able to connect to the address, it uses a hardcoded one. Javali checks for connectivity by sending a web request to the ipinfo.io service.6EEE36B7,”mov eax,avira.oe.nativecore.6EF188B4″,”&L””Windows 7 Ultimate”””6EEE36CB,”mov eax,avira.oe.nativecore.6EF0E4C0″,”&L””BAUdGYGlgX3wUY4XrGGt9z6CrGnnlmpgCaEIjtxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOWSW6IPkjwCg7WWUH1mCyA3Dhh8A0123456789″””6EEE36DF,”mov eax,avira.oe.nativecore.6EF188BC”,”&L””TUBA-01″””6EEE3757,”mov eax,avira.oe.nativecore.6EF18900″,”&L””1724526122″””6EEE376B,”mov eax,avira.oe.nativecore.6EF1891C”,”&L””Windows 7″””6EEE3789,”mov eax,avira.oe.nativecore.6EF18930″,”&L””http://ipinfo.io/json“””6EEE3793,”mov eax,avira.oe.nativecore.6EF18934″,”&L””xx.46.179.xx”””6EEE37CF,”mov eax,avira.oe.nativecore.6EF1894C”,”&L””hxxps://docs.google.]com/document/d/15dKy9iPdfKKUyI5JEn6lyhxramzevtn0siixKmnfNB0/edit”””6EEE37D9,”mov eax,avira.oe.nativecore.6EF18950″,”&L””hxxps://docs.google.]com/document/d/16OdxMD6j6d2gnAmzmCb23M_gNb6_ESKELXSBdVFP2V0/edit”””6EEE37E3,”mov eax,avira.oe.nativecore.6EF18954″,”&L””hxxps://claricepss.webcindario.]com/pgl/index.php”””6EEE380B,”mov eax,avira.oe.nativecore.6EF18970″,”&L””18.104.22.168″””6EEE3815,”mov eax,avira.oe.nativecore.6EF18974″,”&L””25325″””
Figure 20: Javali process of getting config from Google Docs and communication with C2 server.
The list of Google docs hardcoded inside the Javali file is presented below:
Figure 21: Javali configuration obtained from Google Docs.
The strings of the Google Docs files are encrypted and the algorithm used to encrypt strings comes from the “Mestres da Espionagem Digital” book also used in another Latin American banking trojan such as Casbaneiro.
Criminals also used a public library called DCPCrypt – a library responsible for encrypting buffers with various algorithms. As observed in Figure 22, each of these algorithm classes have string identifiers beginning with DCP string such as DCPPcrypt2, DCPsha512, DCP_blockcipher128, etc. This library is used to facilitate the encryption communication between the compromised machine and the C2 server via HTTPS protocol.
Figure 23: Classe names of cryptographic algorithms used by Javali trojan.
On the other side, the host information retrieved from Google Docs is obfuscated for obvious reasons. Javali also adopts another third-party library named IndyProject for communication with the C2.
Indy is an open-source client/server communications library that supports TCP/UDP/RAW sockets, as well as over 100 higher level protocols including SMTP, POP3, IMAP, NNTP, HTTP, FTP, and many more. Indy is written in Delphi but is also available for C++Builder and FreePascal.
Figure 24: IndyProject third-party library used by Javali.
From the analysis of Javali’s sample, information about C2 where extracted. By comparing the first URL “claricepss.webcindario.]com” with other subdomains from “webcindario.]com” which translates to IP 5.57.226.]202, we can found that the domain has been used for a long time by Brazilian criminals in campaigns this line.6EEE37E3,”mov eax,avira.oe.nativecore.6EF18954″,”&L””hxxps://claricepss.webcindario.]com/pgl/index.php”””6EEE380B,”mov eax,avira.oe.nativecore.6EF18970″,”&L””191.232.170.]12″”” 6EEE3815,”mov eax,avira.oe.nativecore.6EF18974″,”&L””25325″””51.103.136.]92/nave/index.php
For example, other directories were found upon the subdomain “claricepss” as observed below with malicious landing pages related to banking organizations available and used to capture the victims’ credentials.[13:38:54] 301 – 6KB – /bb -> https://claricepss.webcindario.]com/bb/[13:39:05] 301 – 6KB – /cadastro -> https://claricepss.webcindario.]com/cadastro/[13:39:18] 301 – 6KB – /chrome -> https://claricepss.webcindario.]com/chrome/[13:39:20] 301 – 6KB – /black -> https://claricepss.webcindario.]com/black/[13:39:21] 301 – 6KB – /imap -> https://claricepss.webcindario.]com/imap/[13:39:23] 301 – 6KB – /casa -> https://claricepss.webcindario.]com/casa/[13:39:30] 301 – 6KB – /pgl -> https://claricepss.webcindario.]com/pgl/[13:39:57] 301 – 6KB – /deco -> https://claricepss.webcindario.]com/deco/[13:40:52] 301 – 6KB – /xy -> https://claricepss.webcindario.]com/xy/
Figure 25: Banking landing-page used to collect credentials and lure victims during the infection process.
Next, we can observe the output from the C2 server of Javali trojan banker, with the last infected victims and their geolocation, and also extracted passwords from online services hardcoded inside the malware such as:
Figure 26: C2 dashboard with last infections and victims’ credentials.
In detail, these fake pages are shown during the infection chain in order to collect credentials. Criminals control all the workflow and victims’ navigation in the background and in real-time as detailed in this article related to a huge phishing campaign this nature – Anubis Phishing Network.
Window overlay process
When victims access a specific banking or financial portal, the malware triggers a new thread to launch the overlay windows. If the accessed portal matches the hardcoded banking organizations, Javali sends to the C2 a simple request with information about the infected machine separated by markers such as “|” and “<“.
Full list of hardcoded banking and financial organizations:
x2ddad8c (16): CrediSiS0x2ddadb4 (16): Viacredi0x2ddaddc (16): CIDETRAN0x2ddae04 (16): Daycoval0x2ddae2c (22): BRB Banknet0x2ddae54 (20): Banco Alfa0x2ddae7c (16): NBC BANK0x2ddaea4 (22): Pine Online0x2ddaecc (22): Banco Safra0x2ddaef4 (16): Banestes0x2ddaf1c (22): Banco Inter0x2ddaf44 (18): Banco BNB0x2ddaf6c (18): Mercantil0x2ddaf94 (18): Santander0x2ddafbc (16): Banco It0x2ddafe4 (18): Bradesco 0x2ddb00c (22): [bb.com.br]0x2ddb034 (16): R4pp0rt 0x2ddb05c (16): core.exe0x2ddb084 (22): SunAwtFrame0x2ddb0ac (16): Cursor_10x2ddb0d4 (20): DWMAPI.dll0x2ddb0fc (18): Banco Ita0x2ddb124 (16): BL-0.ini0x2ddb14c (22): default_set0x2ddb174 (22): \ConfXTheme0x2ddb19c (18): Microsoft0x2ddb1c4 (16): KingHost0x2ddb1ec (16): Locamail0x2ddb214 (20): Terra Mail0x2ddb23c (20): E-mail UOLAplicativo Itaúitauaplicativo.exeBanco ItaúAplicativo sicoobsicoobAplicativoBradesco.exeNavegadorExclusivoBradesco.exeAplicativo bradescoBanco BradescoBanco do BrasilBanco Bradesco | Pessoa Física, Exclusive, Prime e PrivateBradesco Pessoa jurídica | BradescoBradesco JuJuBanco ItáuSantanderBanco SantanderSicrediBanco SicrediMercantilBanco MercantilinternetbankingCaixa EconomicaBanco SicoobUnicred PortalBanco UnicredInternet Banking BNBBanco BNBBanco InterBanco IntermediumBanco MUFG Brasil S.A.Banestes - Internet BankingBanestesInternet BankingBanparáCetelem | LoginCooperativa de CréditoNova Home | InternetBanco SafraBANCO PAULISTAUNICREDUniprimeCentralBem vindo ao seu BMGPortal - Banco VotorantimPine OnlineNBC BANKTribanco OnlineBanco AlfaBanco Indusval & PartnersPortal Internet BanrisulBanco OriginalAcesse sua conta CelcoinLogin - NubankBRB BanknetBanco de BrasíliaBanco da AmazôniaBaneseBancoTopazioInternetBankingBancoIndustrialBanco IndustrialDaycovalCIDETRANViacrediMercado PagoCrediSiS
As described, Javali is monitoring the accessed web-pages on the victim side. When a match is achieved, the communication with the C2 servers starts. The C2 server is geolocated in Brazil, and a new port is generated dynamically each execution between a well-defined range. Socket communication is established using the IndyProject library.
Figure 27: Communication with the C2 server during the windows overlay process.
As mentioned several times during this analysis, code sharing has been seen in different Latin American trojans. This kind of socket communication can be also observed during the Lampion trojan activity.
More, hardcoded C2 endpoints inside the Javali can be related to Grandoreiro activity as described in this article.
Javali C2 endpoints hardcoded
Grandoreiro C2 endpoints (right-side)
Figure 28: Grandoreiro C2 endpoints found hardcoded in the Javali sample.
As with many other banking trojans, Javali supports several backdoor commands. The capabilities of these commands include:
Javali is a potent piece of malware, whose primary capability is theft of banking information and other personal information from the user machine and sends it to the C2 server. This trojan abuses a legitimate injector from Avira Firm to create a child process and loads into the memory a protected DLL with the trojan operations. With this technique in place, bypassing some AV and EDR is possible and the trojan-activity can be masqueraded for a long time.
Finally, the trojan is a dangerous weapon, with the capabilities to self-update itself, capture keystrokes and mouse movements, take screenshots, block access the several Windows-based applications and banking and financial portals, and starting the windows overlay process when a legitimate portal is accessed.
Screenshots of the windows launched by Javali, Mitre Att&ck Matrix, and other IOCs are presented below.
Windows overlay extracted from Javali trojan
Indicators of Compromise and the Mitre Att&ck Matrix are available in the original report:
About the authors: Pedro Tavares
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Javali trojan)