.webp)
[[{“value”:”
Threat actors have been discovered to be using a new technique for deploying the CHAVECLOAK banking trojan to target users in Brazil.
This trojan is capable of stealing sensitive information related to financial activities.
The attack vector uses a malicious email with a PDF file which downloads a ZIP file and utilizes DLL side-loading techniques to execute the final malware.
The Command and Control server telemetry of this malware reads that most of the traffic is from Brazil.
CHAVECLOAK Malware Hack Windows
According to the reports shared by Fortinet, the initial attack vector of this banking trojan involves a phishing email that mentions an attachment related to a contract that must be signed using the link in the email.
This link was generated using a free URL link shortener service “Goo.su” which points to a server for downloading a malicious ZIP file.
This ZIP contains an MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi”.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
MSI Installer
The malicious “NotafiscalGFGJKHKHGUURTURTF345.msi” is extracted when the ZIP file is decompressed. Decompressing the MSI file further shows the contents of the MSI installer.
The MSI installer contains multiple TXT files along with a DLL file named “Lightshot.dll”.
When compared with the modification dates of the other files inside the MSI file, this DLL file has the latest date which means that it has been recently modified.
Further analysis revealed that the entire configuration had been written in Portuguese.
If installed, the MSI drops these files inside the “%AppData%Skillbrainslightshot5.5.0.7” folder.
The EXE file “Lightshot.exe” is also dropped at the specified folder which deploys DLL sideloading technique to activate the execution of malicious DLL “Lightshot.dll”.
Further, this malicious DLL performs the extraction of sensitive information from the compromised system.
CHAVECLOAK Banking Trojan “Lightshot.dll”
This banking trojan performs multiple operations, including gathering volume and file system information from the specified root directory.
To initiate the malware’s automatic execution, “Lightshot.exe” is added to the registry value, which triggers the malware in turn due to the DLL sideloading attack.
This establishes persistent access to the compromised system. After this, an HTTP server request is made to “hxxp://64[.]225[.]32[.]24/shn/inspecionando.php,” where the system’s geolocation is confirmed whether the victim is inside Brazil.
CHAVECLOAK performs several actions on the compromised systems such as blocking the victim screen, logging keystrokes, deceptive pop-up windows etc.
Additionally, the malware also focuses on the victim’s activities against specific financial portals, including banks and bitcoins.
Indicators Of Compromise
IP
64[.]225[.]32[.]24
URLs
hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip
hxxps://goo[.]su/FTD9owO
Hostnames
mariashow[.]ddns[.]net
comunidadebet20102[.]hopto[.]org
Files:
51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4
48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028
4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff
8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c
634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9
2ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e55
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter
The post New CHAVECLOAK Malware Hack Windows Via Weaponized PDF File appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
