Save the Date for Zenith Live 2020 Pre-Register
Save the Date for Zenith Live 2020 Pre-Register
Blogs > Security Research

New Spy Banker Trojan Telax Abusing Google Cloud Servers

By: Deepen Desai


New Spy Banker Trojan Telax Abusing Google Cloud Servers


Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax. The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload. Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL (using service) that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions.

Campaign Details

The attack starts with a shortened URL posted on a social networking site or via drive by download from malicious sites posing to offer premium software or coupons. Below is a recent attack chain where the user clicked on a link shared via Facebook that lead to the download of Telax payload:  

Figure 1: Spy Banker Telax served via Facebook



The link points to a PHP file hosted on the Google Cloud Server that does a 302 redirect to download the initial Spy Banker Downloader Trojan payload. The executable file is posing to be Brazil's federal revenue online tax returns service. We have also seen other themes offering fake premium software applications and discount vouchers as seen from the file names below. Malicious payload file names:

  • americanas.exe
  • AvastPro.exe
  • setup.exe
  • whatsapp_setup.exe
  • WhatsApp_Setup.exe

Below are the statistics (credit: on the number of users clicks that were recorded for the attack campaign shared in Figure 1:  

Figure 2: User clicks on the malicious link

Majority of the target users were lead to the malicious link from Facebook as seen below:  

Figure 3: Source for the link visits

In addition to social networking sites, we also saw users arriving to the Spy Banker Telax payloads hosted on Google Cloud servers from the following sites:

  • aquinofinal[.]com
  • aquiredire[.]com
  • brasildareceita[.]com
  • mundodareceita[.]com
  • ofertasplusdescontos[.]com

All but one of the domains listed above are repossessed by Go Daddy and are no longer active. A quick WhoIs look up of the active domain shows that it was recently registered to 'kleyb maxbell' with following information:  

Figure 4: Whois information for an attack domain

We found another domain 'ofertasmaxdescontos[.]com' registered by the same user that also appears to be actively redirecting users to the malicious payload hosted on a predetermined Google Cloud Server as seen below:  

Figure 5: Active attack domains

It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message. Geographic distribution of the users attempting to download the end malicious payload from Figure 1 is shown below:  

        Figure 6: Geographic distribution of target users

As expected, majority of the users targeted by this malware campaign are from Brazil. It is important to note that the success of this attack depends primarily on the social engineering tactics in convincing the end user into opening the downloaded payload.  

Spy Banker Trojan Telax analysis

The initial file that gets downloaded is the Spy Banker Downloader Trojan. The Downloader Trojan is responsible for downloading & executing the final payload from a list of predetermined URLs as seen below:  

Figure 7: Downloader Trojan hardcoded URLs

The final payload, Spy Banker Trojan Telax, is a Delphi executable that is capable of stealing Banking credentials targeting Portuguese users. Upon execution, Telax injects malicious code into legitimate Visual Basic Compiler (vbc.exe) process. The injected code first checks for the presence of virtual environment like VMWare, Virtual Box, Wine and Virtual PC on the target system. Telax executable contains following additional files embedded in it's resource section:

  • SQLLite.dll - legitimate SQL Lite binary
  • 32-bit rootkit component
  • 64-bit rootkit component
  • 64-bit copy of itself
Depending on the bit-ness of the target operating system, Telax will register the appropriate rootkit driver:

HKLM\SYSTEM\CurrentControlSet\Services\hookmgr\ImagePath: "<User>\<CurrentLocation>\hookmgr.sys"

The main form that we extracted from the malicious Delphi binary is named 'Telax' by the author and can be seen below:  

Figure 8: Spy Banker Telax main form

Here is the translation for the pre-configured features found in this bot:  

  • Auto Reconectar se perder conexao -> Auto Reconnect lost connection
  • bloquear VM -> VM block
  • Proteger Processo -> Protect Process
  • Mensagem de instalacao -> Message installation
  • Gerar infect -> Generate infect
  • Ativar host -> Enable host
  • ativar update -> Activate update
  • ativar killer -> Activate killer
  • ativar Worm -> Activate Worm
  • Versao -> Version
  • Porta -> Port

Following are the additional Telax modules that we looked at during our analysis: A. Modulename: TnHulk.MITO Detects installed Antivirus applications on the system. It specifically looks for following antivirus executables on the target system: BavUpdater.exe - Baidu Antivirus instup.exe - Avast avgmfapx.exe - AVG Update.exe - Symantec B. Modulename: TTitulo.IPTX Responsible for decrypting embedded strings in the file. C. Modulename: TXRPD Responsible for installing malware on the system. D. Modulename: TLISTING Contains the rootkit functions Network Communication Upon successful installation, Telax sends following information to a remote Command & Control (C&C) server:  

  • ID_MAQUINA - Machine ID
  • VERSAO - Bot version
  • WIN - Operating system
  • NAVEGADOR - Default browser
  • PLUGIN - Presence of G-Buster Browser Defense (gbieh.dll) plugin
  • AV - Antivirus installed


Figure 9: Telax C&C communication

Following are the C&C commands that are used by Telax for its communication:  

Command Description
<|PING|> Checking status of connection
<|Info|> Sends infected OS details and bot version
<|Close|> Close all connections
<|DESI|> Uninstall itself
<|reini|> Restart system
<|REQUESTINFO|> Request for information regarding installed AntiVirus, AntiSpyware and Firewall
<|REQUESTKEYBOARD|> Sends keystrokes to active application window
<|HjiopPos|> Set mouse position
<|HjiopLD|> Set mouse left button down
<|HjiopLU|> Set mouse left button up
<|POWT|> Type given string in current window
{DESMON} Sets the state of the display using WM_SYSCOMMAND window message

We also found fake panels for two-factor authentication that will presumably be used to capture and bypass the two-factor authentication mechanism.  

Figure 10: Fake two factor authentication panel

Telax Downloader Hashes 1101C68DF9B31D1C086902D12ECC8521 14066DDD16BF58CD8815F19B183A2801 18FDAA5C3BC8519798912DD8CFDBA0FD 391022155B4BF56309E335308CA86E9D 3DF54DA82678F377FE3FA0AC2122550B 3EAD81990D055C6B7F9F026912D06C28 47ADF66B8AADFA147FF4E528B9F1ADC1 4AA96DC421E509C51F69BF3253702FC4 53D7A67EBF62150288FABF3AA38F0D06 5B3C393563FEEFE50D5B79B555896EA2 695C89E87D18FE9C7BBEBD65E2DA8308 6D27E0A7F9753DCD27B0418023077342 6DC1168629BBFD1AF343B13E08C0FC72 710E945AC8247B3F8B19022A9401E351 9648CED20C9BBD304F3234644842F663 A87112588AD6F5DD4C4D8F88442F6B66 B037980732D665EE46662A2D3D5D067D BA6F9083D4F559BBBC000806C6357C9F C4EBF36C756504F30D80BEDAECC27AF9 CF2D555048B87BED05D0486F00209797 D1D29793D9FA4DDD3FA8AD66903CB75F D63D2A72EAA672F2BC46901CC460308B DF08C8549F14AAE4CAC8FF46640212CA F0416E5EF08E2DE12B409F51E42C7A31


Spy Banker Telax is a Banking Trojan that has specifically targeted Portuguese users. The malware authors are actively pushing out new versions of Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection. There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users. Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Telax payloads, ensuring protection for organizations using Zscaler’s Internet security platform. Research by: Deepen Desai, Nirmal Singh, Lenart Brave

Suggested Blogs