The MnuBot Trojan implements a two-stage attack flow, it is composed of two main components that are tasked for the two stages.
In the first stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder.
If the file is not present, MnuBot creates it, creates a new desktop and switches the user workspace to that newly created desktop that runs side by side to the legitimate user desktop.
MnuBot continually checks the foreground window name in the new desktop searching for bank names in its configuration, then it will query the server for the second stage executable according to the specific bank name that was found.
The MnuBot implements the following capabilities:
The malware downloads the malicious payload in as C:\Users\Public\Neon.exe, this binary contains the attack logic.
“the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.” read the report published by IBM.
“Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.”
Once the malware has infected the systems, it connects the C&C server to fetch the initial configuration. Experts found SQL server details (server address, port, username, and password) hardcoded inside the malware in an encrypted form.
The configuration also includes:
If the MnuBot malware is not able to access the configuration file it will shut itself down and does not perform any malicious activity on the infected machine.
The MnuBot uses the configuration to dynamically change the malicious activity (e.g., the banking sites that are targeted) and implement anti-research mechanisms.
Every time the attacker wants to send commands to the malware he updates specific columns inside a table stored in a database named jackjhonson.
“The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.” continues analysis.
“A few interesting columns include the following:
Like other malware families, MnuBot implements a full-screen overlay form to display victims overlaying forms used to trick them into providing sensitive data.
“Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.” concludes the report.
“MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”
(Security Affairs – MnuBot, malware)