Researchers have discovered a banking trojan making waves in Brazil with an array of tricks up its sleeve, including using an unusual command and control (C&C) server and a full-screen social-engineering overlay form.
Researchers at IBM X-Force research on Tuesday revealed that attackers are using the malware – dubbed MnuBot –mainly in Brazil to perform illegal transactions on victims’ open banking sessions.
“MnuBot… has the same capabilities as most RATs,” Tomer Agayev, threat research team lead at IBM security, told Threatpost. “It allows the attacker to gain remote access to the infected machine, including displaying fake windows of various banks on the victim’s machine.”
The remote access trojan (RAT) is unique in that it constantly queries the Microsoft SQL Database server for commands to be performed, giving attackers better dynamic configurations and anti-research capabilities.
“Most malware in the wild today use a C&C server which is based on some form of a web server or an IRC channel,” Agayev wrote in a blog post. “In contrast, the MnuBot malware uses Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.”
Once it has infected a system, MnuBot also uses a tricky social engineering method called a full-screen overlay form, which keeps the user waiting while the attacker commits the fraud.
Overlay forms, similar to those used by many other malware families in the region, are used to prevent the victims from accessing their open banking session inside the browser. A pop-up appears, and meanwhile, in the background, the attacker takes control over the user endpoint and attempts to perform an illegal transaction via that open banking session.
Agayev said that data about the scope of the malware campaign is not public: “MnuBot was discovered during active research of new Brazilian malwares, and… we can’t disclose any additional information about its methods,” he told Threatpost.
Two-Stage Attack Flow
The majority of Brazilian malware infects systems via malicious email, although X-Force is still examining the infection methods, Agayev told Threatpost. After this initial infection, MnuBot is built from two base components making up a two-stage attack flow, said researchers.
In its first stage, MnuBot looks for a file called Desk.txt within the AppData Roaming folder, which places data from applications onto whatever machine the user happens to be logged in on. This enables MnuBot to know which desktop is currently running; the malware then constantly checks for a window name that is similar to one of the bank names in its configuration.
Once it discovers one, it will query the server for the second stage executable according to the bank name that was found. The subsequent downloaded executable (C:\Users\Public\Neon.exe) contains the meat of the attack by providing the attacker with full control over the victim’s machine, according to Agayev.
This executable also gives attackers abilities like keylogging, taking screenshots of desktops, restarting the victim’s machines, creating a form to overlay the bank’s forms and stealing user data in the form.
C&C Server
MnuBot connects to the Microsoft SQL Database server in order to fetch the initial configuration by using SQL server details – such as server address, port, username and a password – which are hardcoded inside the sample.
Attackers can dynamically change MnuBot’s malicious activity, and once the authors take down the server, it becomes almost impossible for a researcher to reverse engineer the malware sample behavior.
“It is most likely that MnuBot authors wanted to try to evade regular AV detection, which is based on the malware traffic. To do so they tried to wrap their malicious network communication using seemingly innocent MS SQL traffic,” said researchers.
Some of MnuBot’s tricks are typical traits of malware families in Brazil, researchers said.
“MnuBot is an excellent example of many malware families in the Brazilian region,” said Agayev. “It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”