March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Advisory – Multiple QNAP Products Vulnerabilities
March 12, 2024
Rewterz Threat Alert – STRRAT Malware – Active IOCs
March 12, 2024
Rewterz Threat Advisory – Multiple QNAP Products Vulnerabilities
March 12, 2024
Rewterz Threat Alert – STRRAT Malware – Active IOCs
March 12, 2024
Severity
High
Analysis Summary
Brazilian users are being targeted by a novel banking trojan dubbed CHAVECLOAK, distributed through phishing emails with PDF file attachments. The attack utilizes DLL side-loading techniques once the attachment is downloaded to deliver the final malware payload.
“Notably, CHAVECLOAK is specifically designed to target users in Brazil, aiming to steal sensitive information linked to financial activities,” said the cybersecurity researchers.
The attack chain starts with leveraging contract-themed DocuSign lures that make the unsuspecting user open the PDF files. The PDF contains a button to read and sign the documents, but clicking it leads to fetching an installer file from a shortened remote link using the Goo-su URL shortening service. Inside the installer is an executable with the name “Lightshot.exe” that utilizes DLL side-loading to load in “Lightshot.dll”. This is used by the CHAVECLOAK malware to steal sensitive information, such as system metadata, and also to run checks to see if the compromised system is located in Brazil so that it can monitor the foreground window at intervals to compare it against a predefined list of strings related to banks.
If a string matches, the malware establishes a connection with a command-and-control (C2) server to exfiltrate different information that it harvests to various notable endpoints on the C2 server, depending on the financial organization. The malware is capable of performing several actions to commit credential theft, like enabling the operator to block the victim’s screen, keylogging, and displaying fake pop-up windows. It can also actively monitor the victim accessing specific financial portals like various banks and Mercado Bitcoin, targeting both cryptocurrency platforms and traditional banks.
The researchers said that they have also discovered another variant of CHAVECLOAK written in Delphi that once again shows the prevalence of malware based on Delphi targeting Latin America (LATAM). The cyber landscape targeting the financial sector and especially focusing on Brazilian users keeps evolving, and the emergence of the CHAVECLOAK banking trojan highlights the need for robust security measures and vigilance.
Impact
- Credential Theft
- Data Exfiltration
- Financial Loss
Indicators of Compromise
MD5
- 13085c8d534b6b32564fe6c366ee1bea
- ffd9942fb2b9e4d5d70ad6c0aa5033b4
- c371047910a709f65fd85d10cde0ca4f
- fea6fc878029babdca3a1579be0ae771
- c5d3742910f8d35b510a0ad133654add
- ef5f927bb98df4df685ef472b162ae3f
SHA-256
- 51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4
- 48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028
- 4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
- 131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff
- 8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c
- 634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9
SHA-1
- 8f7db4b0bfe53475c63f4e8f31b89e4c67231616
- 763205980a62c43e602983c3ba5a493604280958
- 8992089394435b280c4e36aee7de673a5adf5af9
- 6f3e607d54e98d884c3d280e73abf5be85fd6168
- 556b298fc3728ca599b4231d1311f2e49f3e00d1
- 827e969a7cdd2b77dc91287cbd4def46cf1ae2f0
URL
- https://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR.zip
- https://goo.su/FTD9owO
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Keep operating systems and software up to date as banking trojans often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
- Implement strong password policies: banking malware often relies on stolen login credentials to access sensitive information. Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
- Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread banking malware.
- Maintain daily backups of all computer networks and servers.