Phishing campaign spreads malware to Facebook users in Brazil and Mexico
Sponsored ads offered discount coupons to distribute a malicious Chrome extension, among other threats
Researchers from Tempest’s Threat Intelligence team have detected a new phishing campaign targeting Facebook users in Brazil and Mexico. In the campaign, sponsored ads offered discount coupons for a large fast-food chain in order to spread a malware which, according to the research, is divided into three modules: a file capture and credential theft module, a malicious extension to Google Chrome and a Remote Administration Tool (RAT), used for screen overlay to commit bank fraud.
Next, we’ll look at the details and methods used in this campaign.
Campaign Analysis
Phishing
In the scam, which would have made more than 10,000 victims, a sponsored ad (image 1) offers discounts on products. To get discounts, one has to click a link to a website where the coupons are. The website is a malicious page containing a series of seemingly official coupons. On the page, the victim is prompted to click a button to supposedly download the coupons. By clicking the button, a compressed file (containing two files, with the extensions .msi and .exe) is downloaded to the victim’s computer.
Image 1: Sponsored ad offers discount coupons on a link
By running the .msi file (through msiexec.exe — Windows Installer Component) a Visual Basic script (VBScript) is triggered, which, in turn, will trigger the following actions:
– Download other script files;
– Download and unzip a file containing the malicious extension for Google Chrome;
– Modify Chrome shortcuts from scripts to run the malicious extension;
– Start the RAT infection process.
VBScripts execution and RAT installation
The first VBScript (contained in the .msi extension file) runs a sequence of obfuscated codes, culminating in the download of a new VBScript on the computer. In all, six distinct routines were identified in the process. It is speculated that this is done in order to hinder the work of analysis and also as a method of evasion from antivirus programs.
The new VBScript downloads the .zip file containing the malicious Chrome extension and the commands that modify the browser shortcuts on the victim’s computer. These commands will cause the browser to load the malicious extension at runtime, which guarantees its persistence in Chrome even if it is removed by the victim.
Concomitantly, the computer is infected by the Overlay RAT; however, this infection will only be performed if the language configured on the computer is Portuguese, and if it is not a virtual machine (VM).
Post infection and data theft
After completing the entire infection process, the malware searches the entire operating system for user and password data from email and FTP clients. If identified, this data is obfuscated and sent to a C&C server.
Several C&C servers were identified by the research. Through them, researchers found data that included email client contact lists, Gmail contact lists, HTML pages, email credentials (usernames and passwords), and password lists with apparent origin at the Google Password Manager — later it was possible to confirm that cookie data and Google Chrome’s “LoginData” (SQLite database that saves all user and password information saved in the browser) were in the campaign target. It is noteworthy that “LoginData” data is encrypted, but the author of the malware was able to decrypt it, transforming it into clear text.
Image 2: Stolen data from victims includes login data saved in Google Chrome
Researchers have identified that each type of captured data is cataloged and separated into files containing identification codes. So far the following codes have been identified:
* HJ — LoginData Chrome *
* HK — Contact List (emails only) *
* HY — Errors reading Chrome database *
Malware analysis made it possible to verify the existence of a mathematical pattern in the obfuscation processes involved in sending data to the C2 server. This way, researchers were able to create a script to unscramble all information captured and sent by the artifact.
Malicious Chrome Extension
The malicious Chrome extension is able to capture and modify data from any site accessed by the browser. Its specific feature, however, is to modify payment slips identified in the browser tabs.
Once the extension identifies a payment slip on a page, it captures and sends it to a C2 where it is modified, and sent back via POST. All this data, both in the request and in the response, is obfuscated.
RAT module
The final module of the malware is a Remote Acces Trojan which is able to perform page overlays for four Brazilian banks.
A DLL (which is imported as soon as the malware is run at operating system startup) has been identified by the researchers as containing the screens used in the overlay process.
