The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more than 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain that makes use of various advanced technologies, setting it apart from known banking Trojan infections.
银行木马恶意软件的开发人员一直在寻找创造性的方法来分发他们的植入物并感染受害者。在最近的一项调查中,我们遇到了一种新的恶意软件,专门针对 60 多家银行机构的用户,主要来自巴西。引起我们注意的是利用各种先进技术的复杂感染链,使其与已知的银行木马感染区分开来。
This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. The Nim language defines itself as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada and Modula”. The adoption of less popular/cross-platform languages by cybercriminals is something we identified as a trend in our Crimeware and financial cyberthreats for 2024.
该恶意软件利用 Squirrel 安装程序进行分发,利用 NodeJS 和一种相对较新的多平台编程语言 Nim 作为加载程序来完成其感染。我们将这种新发现的特洛伊木马命名为“土狼”,因为土狼是松鼠的天敌。Nim 语言将自己定义为“静态类型的编译系统编程语言,它结合了 Python、Ada 和 Modula 等成熟语言的成功概念”。我们认为,网络犯罪分子采用不太流行/跨平台的语言是 2024 年犯罪软件和金融网络威胁的一个趋势。
In this article, we will delve into the workings of the infection chain and explore the capabilities of this Trojan.
在本文中,我们将深入研究感染链的工作原理并探索此木马的功能。
Forget old Delphi and MSI
忘掉旧的德尔福和微星吧
In the banking Trojan landscape, the use of the Delphi language or MSI installers is a recurring trend among malware creators. It’s a well-known fact in the cybersecurity community that this method serves as a widely used initial infection vector.
在银行木马领域,使用 Delphi 语言或 MSI 安装程序是恶意软件创建者中反复出现的趋势。在网络安全社区中,众所周知的事实是,这种方法是一种广泛使用的初始感染媒介。
Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.”
土狼做事有点不同。它没有采用通常的 MSI 安装程序,而是选择了一种相对较新的工具来安装和更新 Windows 桌面应用程序:Squirrel。正如作者所解释的那样,“Squirrel 使用 NuGet 包来创建安装和更新包,这意味着你可能已经知道创建安装程序所需的大部分内容。
By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.
通过使用此工具,Coyote 通过将其呈现为更新打包程序来隐藏其初始阶段加载程序。
The Node.js loader script
Node.js加载程序脚本
When Squirrel is executed, it eventually runs a NodeJS application compiled with Electron. This application executes obfuscated JavaScript code (preload.js), whose primary function is to copy all executables found in a local folder named temp to the user’s captures folder inside the Videos folder. It then runs a signed application from that directory.
当 Squirrel 被执行时,它最终会运行一个用 Electron 编译的 NodeJS 应用程序。此应用程序执行混淆的 JavaScript 代码 (preload.js),其主要功能是将名为 temp 的本地文件夹中找到的所有可执行文件复制到 Videos 文件夹内的用户捕获文件夹。然后,它从该目录运行已签名的应用程序。
Several executables have been identified in use, including those associated with Chrome and OBS Studio. The banker is loaded through DLL sideloading of a dependency of these executables. In all cases analyzed by our team, DLL sideloading occurs in the libcef.dll library.
已确定多个正在使用的可执行文件,包括与 Chrome 和 OBS Studio 相关的可执行文件。banker 通过这些可执行文件的依赖项的 DLL 旁加载来加载。在我们团队分析的所有情况下,DLL 旁加载都发生在libcef.dll库中。
The Nim loader Nim 装载机
An intriguing element of the infection chain is the use of Nim, a relatively new programming language, to load the final stage. The loader’s objective is to unpack a .NET executable and execute it in memory using the CLR. This implies that the loader aims to load the executable and execute it within its process, reminiscent of how Donut operates.
感染链中一个有趣的元素是使用 Nim(一种相对较新的编程语言)来加载最后阶段。加载程序的目标是解压缩 .NET 可执行文件,并使用 CLR 在内存中执行它。这意味着加载器旨在加载可执行文件并在其进程中执行它,让人想起 Donut 的操作方式。
It’s worth noting that the same entry point, obs-browser-page.exe, is utilized for every machine reboot, serving as a means of persistence.
值得注意的是,每次重新启动计算机时都会使用相同的入口点 obs-browser-page.exe,作为持久性手段。
Last but not least, the Coyote banking Trojan
最后但并非最不重要的一点是,土狼银行木马
After all these steps, the Trojan is successfully executed. Coyote does not implement any code obfuscation and only uses string obfuscation with AES encryption.
完成所有这些步骤后,特洛伊木马成功执行。Coyote 不实现任何代码混淆,仅使用带有 AES 加密的字符串混淆。
To retrieve a specific string, it calls a decryption method with the string index as a parameter. The decryption method works by creating a table of base64-encoded data. The first 16 bytes of each decoded data item serve as the IV (Initial Vector), while the rest is the encrypted data later used in the AES decryption routine.
若要检索特定字符串,它调用将字符串索引作为参数的解密方法。解密方法的工作原理是创建一个 base64 编码的数据表。每个解码数据项的前 16 个字节用作 IV(初始向量),而其余部分是稍后在 AES 解密例程中使用的加密数据。
The key is randomly generated by each executable, and the AES decryption algorithm uses the official .Net encryption interfaces. With this approach, for each string access that Coyote needs, it searches inside the table and decrypts each string with a custom IV.
密钥由每个可执行文件随机生成,AES解密算法使用官方的.Net加密接口。使用这种方法,对于 Coyote 需要的每个字符串访问,它会在表内进行搜索,并使用自定义 IV 解密每个字符串。
Persistence and goals 坚持和目标
Coyote achieves persistence by abusing Windows logon scripts; it first checks if HKCU\Environment\UserInitMprLogonScript exists, and if so, it inserts the registry value as the full path to the signed application, in this case, obs-browser-page.exe.
Coyote 通过滥用 Windows 登录脚本来实现持久性;它首先检查 HKCU\Environment\UserInitMprLogonScript 是否存在,如果存在,则插入注册表值作为已签名应用程序的完整路径,在本例中为 obs-browser-page.exe。
The Coyote Trojan’s objective is consistent with typical banking Trojan behavior. It monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed.
Coyote 特洛伊木马的目标与典型的银行特洛伊木马行为一致。它监控受害者系统上所有打开的应用程序,并等待访问特定的银行应用程序或网站。
In our analysis we identified at least 61 related applications, all originating from Brazil. This strongly suggests that Coyote is indeed a Brazilian banking Trojan, exhibiting behavior similar to that previously reported in our Tetrade blog post.
在我们的分析中,我们确定了至少 61 个相关应用程序,所有应用程序都来自巴西。这强烈表明 Coyote 确实是巴西银行木马,其行为类似于我们之前在 Tetrade 博客文章中报道的行为。
C2 communication and control
C2通信与控制
When any banking-related application is executed and utilized, the Coyote banker contacts the C2 with this information. The C2 then responds with various actions on the machine, ranging from keylogging to taking screenshots. Communication with the attacker server will be explained in the following sections.
当执行和使用任何与银行相关的应用程序时,Coyote 银行家会联系 C2 并提供此信息。然后,C2 在机器上执行各种操作,从键盘记录到截屏。以下各节将介绍与攻击者服务器的通信。
The Trojan establishes communication with its command and control server using SSL channels with a mutual authentication scheme. This implies that the Trojan possesses a certificate from the attacker-controlled server and uses it during the connection process.
The certificate is stored as a resource in an encrypted format that is decrypted by the X509 library from .Net. Once the malware verifies that the connection is indeed with the attacker, it proceeds to send the information collected from the infected machine and banking applications to the server. The information transmitted includes:
证书以加密格式存储为资源,该格式由 X509 库从 .Net 解密。一旦恶意软件验证确实与攻击者建立了联系,它就会继续将从受感染的机器和银行应用程序收集的信息发送到服务器。传输的信息包括:
- Machine name 计算机名称
- Randomly generated GUID 随机生成的 GUID
- Banking application being used
正在使用的银行应用程序
With this information, the attacker sends a response packet that contains specific actions. To process these actions, the attacker transmits a string with a random delimiter. Each position of the string is then converted to a list, with the first entry representing the command type.
利用此信息,攻击者发送包含特定操作的响应数据包。为了处理这些操作,攻击者使用随机分隔符传输字符串。然后,字符串的每个位置都转换为一个列表,第一个条目表示命令类型。
To determine the desired command, it checks the length of the string in the first parameter, which is a random string. In other words, the only difference between commands is the size of the string.
为了确定所需的命令,它会检查第一个参数中字符串的长度,该参数是随机字符串。换句话说,命令之间的唯一区别是字符串的大小。
The most important available commands are:
最重要的可用命令包括:
Length 长度 | Description 描述 |
---|---|
12 | Take a screenshot 截屏 |
14 | Show an overlay window of a fake banking app 显示虚假银行应用的叠加窗口 |
15 | Show a Window that is in the foreground 显示前台的窗口 |
17 | Kill a process 终止进程 |
18 | Show a full-screen overlay 显示全屏叠加 |
21 | Shut down the machine 关闭本机 |
27 | Block machine with a fake banking image displaying: “Working on updates…” 带有虚假银行图像的阻止机器显示:“正在进行更新…” |
31 | Enable a keylogger 启用键盘记录器 |
32 | Move mouse cursor to specific X, Y position 将鼠标光标移动到特定的 X、Y 位置 |
The Trojan can also request specific bank card passwords and create a phishing overlay to capture user credentials.
该木马还可以请求特定的银行卡密码,并创建网络钓鱼覆盖层以捕获用户凭据。
Conclusion 结论
Coyote marks a notable change in Brazilian banking Trojans. Unlike its counterparts, which often use older languages like Delphi, the developers behind Coyote are skilled in modern technologies such as Node.js, .NET, and advanced packaging techniques.
Coyote 标志着巴西银行木马的显着变化。与经常使用 Delphi 等旧语言的同行不同,Coyote 背后的开发人员精通 Node.js、.NET 和高级打包技术等现代技术。
The addition of Nim as a loader adds complexity to the Trojan’s design. This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.
添加 Nim 作为加载程序增加了特洛伊木马设计的复杂性。这种演变凸显了威胁形势中日益复杂的情况,并显示了威胁参与者如何在其恶意活动中适应和使用最新的语言和工具。
Our telemetry data reveals that up to 90% of infections originated from Brazil. All Kaspersky products detect the threat as HEUR:Trojan-Banker.MSIL.Coyote.gen.
我们的遥测数据显示,高达90%的感染来自巴西。所有卡巴斯基产品都将威胁检测为 HEUR:Trojan-Banker.MSIL.Coyote.gen。
A more detailed analysis of the latest Coyote versions is available to customers of our private Threat Intelligence Reports. For more information, please contact [email protected].
我们的私人威胁情报报告的客户可以获得对最新 Coyote 版本的更详细分析。欲了解更多信息,请联系 [email protected]。
Reference IoCs (indicators of compromise)
参考 IoC(入侵指标)
Host-based (MD5 hash) 基于主机(MD5 哈希)
03 eacccb664d517772a33255dff96020
071b6efd6d3ace1ad23ee0d6d3eead76
276f14d432601003b6bf0caa8cd82fec
5134e6925ff1397fdda0f3b48afec87b
bf9c9cc94056bcdae6e579e724e8dbbd
C2 domain list C2 域名列表
atendesolucao[.]com
servicoasso[.]com
dowfinanceiro[.]com
centralsolucao[.]com 中央索卢考[.]com
traktinves[.]com
diadaacaodegraca[.]com
segurancasys[.]com 塞古兰卡西斯[.]com
原文始发于securelist: A multi-stage banking Trojan abusing the Squirrel installer
转载请注明:Coyote: A multi-stage banking Trojan abusing the Squirrel installer | CTF导航