Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan,
which is responsible for downloading and installing Spy Banker Trojan Telax
The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload. Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL (using bit.ly service) that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions.
The attack starts with a shortened URL posted on a social networking site or via drive by download from malicious sites posing to offer premium software or coupons. Below is a recent attack chain where the user clicked on a link shared via Facebook that lead to the download of Telax payload:
|Figure 1: Spy Banker Telax served via Facebook
The bit.ly link points to a PHP file hosted on the Google Cloud Server that does a 302 redirect to download the initial Spy Banker Downloader Trojan payload.
The executable file receitanet.com
is posing to be Brazil's federal revenue online tax returns service. We have also seen other themes offering fake premium software applications and discount vouchers as seen from the file names below.
Malicious payload file names:
Below are the statistics (credit: Bit.ly) on the number of users clicks that were recorded for the attack campaign shared in Figure 1:
|Figure 2: User clicks on the malicious bit.ly link
Majority of the target users were lead to the malicious bit.ly link from Facebook as seen below:
|Figure 3: Source for the bit.ly link visits
In addition to social networking sites, we also saw users arriving to the Spy Banker Telax payloads hosted on Google Cloud servers from the following sites:
All but one of the domains listed above are repossessed by Go Daddy and are no longer active. A quick WhoIs
look up of the active domain shows that it was recently registered to 'kleyb maxbell' with following information:
|Figure 4: Whois information for an attack domain
We found another domain 'ofertasmaxdescontos[.]com' registered by the same user that also appears to be actively redirecting users to the malicious payload hosted on a predetermined Google Cloud Server as seen below:
|Figure 5: Active attack domains
It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message.
Geographic distribution of the users attempting to download the end malicious payload from Figure 1 is shown below:
Figure 6: Geographic distribution of target users
As expected, majority of the users targeted by this malware campaign are from Brazil. It is important to note that the success of this attack depends primarily on the social engineering tactics in convincing the end user into opening the downloaded payload.
Spy Banker Trojan Telax analysis
The initial file that gets downloaded is the Spy Banker Downloader Trojan. The Downloader Trojan is responsible for downloading & executing the final payload from a list of predetermined URLs as seen below:
|Figure 7: Downloader Trojan hardcoded URLs
The final payload, Spy Banker Trojan Telax, is a Delphi executable that is capable of stealing Banking credentials targeting Portuguese users. Upon execution, Telax injects malicious code into legitimate Visual Basic Compiler (vbc.exe) process. The injected code first checks for the presence of virtual environment like VMWare, Virtual Box, Wine and Virtual PC on the target system.
Telax executable contains following additional files embedded in it's resource section:
- SQLLite.dll - legitimate SQL Lite binary
- 32-bit rootkit component
- 64-bit rootkit component
- 64-bit copy of itself
Depending on the bit-ness of the target operating system, Telax will register the appropriate rootkit driver:
The main form that we extracted from the malicious Delphi binary is named 'Telax' by the author and can be seen below:
|Figure 8: Spy Banker Telax main form
Here is the translation for the pre-configured features found in this bot:
- Auto Reconectar se perder conexao -> Auto Reconnect lost connection
- bloquear VM -> VM block
- Proteger Processo -> Protect Process
- Mensagem de instalacao -> Message installation
- Gerar infect -> Generate infect
- Ativar host -> Enable host
- ativar update -> Activate update
- ativar killer -> Activate killer
- ativar Worm -> Activate Worm
- Versao -> Version
- Porta -> Port
Following are the additional Telax modules that we looked at during our analysis:
A. Modulename: TnHulk.MITO
Detects installed Antivirus applications on the system. It specifically looks for following antivirus executables on the target system:
BavUpdater.exe - Baidu Antivirus
instup.exe - Avast
avgmfapx.exe - AVG
Update.exe - Symantec
B. Modulename: TTitulo.IPTX
Responsible for decrypting embedded strings in the file.
C. Modulename: TXRPD
Responsible for installing malware on the system.
D. Modulename: TLISTING
Contains the rootkit functions
Upon successful installation, Telax sends following information to a remote Command & Control (C&C) server:
- ID_MAQUINA - Machine ID
- VERSAO - Bot version
- WIN - Operating system
- NAVEGADOR - Default browser
- PLUGIN - Presence of G-Buster Browser Defense (gbieh.dll) plugin
- AV - Antivirus installed
|Figure 9: Telax C&C communication
Following are the C&C commands that are used by Telax for its communication:
||Checking status of connection
||Sends infected OS details and bot version
||Close all connections
||Request for information regarding installed AntiVirus, AntiSpyware and Firewall
||Sends keystrokes to active application window
||Set mouse position
||Set mouse left button down
||Set mouse left button up
||Type given string in current window
||Sets the state of the display using WM_SYSCOMMAND window message
We also found fake panels for two-factor authentication that will presumably be used to capture and bypass the two-factor authentication mechanism.
Telax Downloader Hashes
|Figure 10: Fake two factor authentication panel
Spy Banker Telax is a Banking Trojan that has specifically targeted Portuguese users. The malware authors are actively pushing out new versions of Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection. There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users.
Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Telax payloads, ensuring protection for organizations using Zscaler’s Internet security platform.
Research by: Deepen Desai, Nirmal Singh, Lenart Brave