Banload Trojan Targets Brazilians With Malware Downloads

August 9, 2016

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections. We have observed this malware is using the functionality of the legitimate freeware Mep Installer to carry out the infection cycle.

Mep Installer builds installation programs for Windows based on Inno Setup. When Mep Installer executes, it creates a temporary installation file in the %TEMP% directory. This file has the following execution command:

banload_command

Mep Installer has its signature at the offset used in the preceding command:

Signature

This temporary installation file checks for the Mep Installer signature. If found, the file will read data from the third argument, which is a zlib-compressed file. The following is a snippet of the compressed data:

banload_ZlibCompress

The temporary installation file has a zlib decompression procedure. After decompression it drops the executable and runs it.

banload_Mep_Cycle

Infection chain
We have observed that Banload hooks the Mep Installer to trick users into installing the Portuguese version of this software. Once the user gets a Banload-infected Mep Installer, the malware uses same functionality as the genuine Mep Installer to avoid suspicion. The infected version carries the malware inside the zlib-compressed file.

The malware executes with the same command as with the legitimate Mep Installer:

banload_nal_command

Upon decompression the temp file drops the malware in the Windows directory, as shown below:

banload_mal_run

This malware uses the temporary file of the genuine installer to carry out the infection. Banload also displays a fake Mep Installer signature to appear to be legitimate.

banload_mal_cycle

Obscuring techniques
The malware uses a number of tricks to avoid execution in controlled environments such as virtual machines, sandboxes, etc. It also checks for network monitoring tools like CommView, TCPView, etc.

banload_tricks

The malware uses the following code patch to check for virtual machines:

banload_AntiVM

Banload terminates if the system’s language ID does not match to 0x0416, Portuguese.

banload_languagID

The malware also creates a mutex to ensure that only one instance of the malware is running at a time. The malware author uses standard RC4 algorithm to hide the payload’s URL. The encrypted URL looks like this:

banload_URl_encrypted

The following are some of the decrypted URLs from which the malware downloads payloads to carry out further infections:

  • http://[BLOCKED].br/modulorato/rato.zip
  • http:// [BLOCKED].com.br/banner.zip
  • http:// [BLOCKED].net.br/KL/Windows.zip
  • http:// [BLOCKED].com.br/backup/site/CACminde.zip
  • http:// [BLOCKED].com.br/KL/ljinguID.zip
  • http://maranhao. [BLOCKED].com.br/modulo/maranhao.zip
  • https://storage.googleapis.com/[BLOCKED]/ [BLOCKED].zip
  • https://storage.googleapis.com/[BLOCKED]/ [BLOCKED].zip
  • https://www.4shared.com/web/directDownload/[BLOCKED]/goqt4x. [BLOCKED]
  • https://www.4shared.com/web/directDownload/[BLOCKED]/gk5y6n. [BLOCKED]
  • https://storage.googleapis.com/[BLOCKED]/[BLOCKED].zip
  • https://www.4shared.com/web/directDownload/[BLOCKED]/gbo7i6. [BLOCKED]
  • http://www. [BLOCKED].org/ddlevelsfiles/imgs.zip
  • https://www.4shared.com/web/directDownload/[BLOCKED]/gpms2b. [BLOCKED]

The downloaded files are encrypted and are decrypted by the malware at runtime. The downloaded file may look like this:

banload_downloaded_encrypted

After decrypting this, we get this Zip file:

banload_downloaded_decrypted

Summary
This malware targets Brazilians by using the Mep Installer’s Portuguese version, checking for the Portuguese language ID, and most of the URLs listed above are from Brazil. Intel Security products detect this malware as Downloader-FBIC! Intel Security advises all users to keep their antimalware products up to date.

Analyzed hashes, SHA256

  • C5D3EC816D9029A5EDC6F0C64E1E9CAC02CF73A8A4828C3088C34FEF7338CC21
  • 98F38A78E8DCEE34DCFFB53D5A3E678E5572DDC2DFF2E0EF832FCBCEF3F5E7DC

 

The post Banload Trojan Targets Brazilians With Malware Downloads appeared first on McAfee.