Hunting for Latam Banking Trojan URL Phishing

Brief summary
Financial cybercrime: competitors sharing TTPs

ESET researchers have surprisingly discovered many indicators of close cooperation between banking trojan authors in Latin America, where cybercriminal groups are working together to create and distribute multiple families, in a collaborative effort that researchers say is highly unusual.

Recently, several manufacturers have detailed their findings on the interconnectivity of banking trojan families in Latin America. Eleven different families of malware are coordinating distribution, resources, geographic targeting and more. Among the variants we have: Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek, according to ESET.

Families also share, in addition to malware delivery infrastructure:

• Unusual third-party libraries;
• String encryption algorithms;
• String and binary obfuscation techniques;
• Side loading of DLL;
• Collaboration extends to geographic targeting.

What also caught the attention of the researchers is the fact that all banking Trojans use a very similar distribution flow.

It is also worth mentioning that, since 2019, the vast majority of these malware families have started using Windows Installer (MSI files) as the first stage of the distribution chain.

Initial Access
In the vast majority of cases that I have analyzed, the user receives phishing with the link in the body of the email, when the click is made, it is usually directed to AmazonAws or CloudApp Azure domains, as in the examples below:

URLs phishing:
hxxp://ec2-[custom server IP].amazonaws.com/[random number].php?e=[random number]
hxxps://[custom subdomain].eastus.cloudapp.azure.com/[random number].php?e=[random number]

In these URLs, we have a PHP call responsible for randomly generating the first payload of the threat, where a .zip file is downloaded, which has an .msi installer inside.

Recent sample:       
hxxps[:]//[custom_subdomain].eastus[.]cloudapp.azure[.]com/nfedown.php?dw=%3C?php%20echo%20rand(10000000000,90000000000)?%3E
-> Address hosting the MSI. This was the first case I noticed where it shows the MSI name generation routine (function RAND). After the "dw", there is the routine to generate samples with random names.

Given the above, we identified that sandbox analyzes are not complete because:

• Some technologies cannot fully detect the link, as the URL is separated into two parts in the html.
• Due to the .MSI files being large, the sandboxes end up not being able to analyze the complete file.
• GEOLOCATION techniques were observed for sandbox evasion.

Hunting for suspicious activities
Analyzing the initial infection scenario, we can think of a rule that detects access to Phishing URLs clicked by users when receiving emails in malicious campaigns, specific to the recent cases of Latam Banking Trojans analyzed.

Possible Splunk Rule:

Description: This rule detects navigations to suspicious URLs.
Query Splunk:
index=(your index) domain IN (“*cloudapp.azure.com”, “*amazonaws.com*”) http_content_type=application/zip user!=”-” AND url=”*.php?*” 
| stats values(user) as user by url filter rs_Content_Type 
| search url=”*.php?*”
| rename filter as action, rs_Content_Type as category

Sigma Rule

title: Hunting for Latam Banking Trojan URL Phishing
description: This rule detects browsing URLs that are suspicious, commonly used to download banking malware.
tags:
* attack.Initial Access
* attack.Phishing
* attack.T1566
* Mitre Link: https://attack.mitre.org/techniques/T1566/
status: experimental
author: Keilly Santos
date: 2020/10/10
modified: 2020/10/10
logsource:
product: Web Proxy
detection:
selection:
Domain | contains: “*cloudapp.azure.com”, “*amazonaws.com*”
Url | contain: “*.php?*”
Category | equals: application/zip
condition: selection
falsepositives: if there is legitimate browsing for domains that contain the same config detection.
level: medium

Some additional recommendations are:
1. Restrict browsing on the proxy whose Content_type is “application / zip”.
2. Creation of Yara rules for monitoring and blocking the environment.
3. Analysis of malicious code and blocking of Indicators of Compromise found in the other stages of the malware.

References:
https://threatpost.com/latam-banking-trojans-collaborate/159792/
https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/

Hope it helps.
Happy hunting! =D