New banking malware in Brazil - XPCTRA RAT ANALYSIS

At the end of September 2017 an article was published about the presence of a Spy Banker malware called XPCTRA (Expectra).

Its goals are those of any banking malware:

• Steal bank credentials
• Get information to continue to spread

buguroo's Labs did a thorough analysis and reached the conclusion that this is simply a small modification of an already-existing malware. Therefore, in this post we are only analyzing the new aspects it has incorporated. 

The star of this show is the binary with sha256: 98337ca50d0cac2fab4566a39c6149328889bb06a6dd56a4c2a66cbea326138c.

In the initial analysis we observed that its structure is fairly similar to the QuasarRAT family. This can be seen when the structure of the binary analyzed in this post is compared to the typical QuasarRAT malware structure compiled with the default options of the code published in github.There are some small differences due to the fact that the code published in github is a more recent version. 

Throughout its execution and use, it refers to a series of parameters it calls “settings” that allow us to track all of the actions it anticipates in more detail: 

Ilustration 3. The binary’s settings

A. INSTALLATION

The first thing it does is install itself in the victim’s computer, and to do this it uses a digital certificate to intercept https traffic.

It may happen that the certificate is already installed in the user’s computer. If this is the case, the malicious code will jump directly to the bank credentials theft phase.

If one isn’t already installed, it generates a certificate and installs it using the certutil system tool:

“certutil –addstore \Root\$Variable_Path\fiddlerRoot.cet”

If the installation produces errors, it seeks to create a certificate through the screen resolution of the victim’s computer. To identify the real screen resolution, it closes any browsers that may be open: firefox.exe, chrome.exe or iexplore.exe and ends their execution using this command:

“taskkill /f /im $Nombre_proceso.exe”

Once it has the screen resolution, it generates the certificate using the originals mouse positions, as shown below:

Illustration 4. Certificate coordinates

Once installed, it begins collecting data from the machine that is infected, searching for the following data:

• Name of the infected machine 
• User name
• Machine architecture
• Directory where the executable program is located
• Path to the Temp folder
• Screen resolution
• The device’s Mac Address
• Whether it has any of the plugins for Banco do Brasil or Caixa Económica Federal installed.
• Whether there is an antivirus installed in the machine.

Illustration 5. Information collected from the device 

When it has the information it was seeking, it achieves persistence in the system, elevating privileges. To do this, it adds a key in the Windows registry that checks for its presence each time the binary run is initiated:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run”

And to attempt to elevate privileges there, first it creates a user with the user name “user” and the password “!@c4rnic3ir0!@”. It attempts to give administrator privileges to this user as well as adding it to the group of those users who can connect to the device remotely.

With the persistence achieved and with the permissions it considers necessary, it informs the control panel that there is a new infected user.

To do this, it sends the infected machine’s information by means of a request to the control panel (C&C)::

Illustration 6. Information in the control panel 

After notifying the control panel that there is a new infection, the malware attempts to find the user’s geographical location. And to achieve this, it sends requests to the following websites where it can obtain the public IP address, together with its geolocation:

• http://ip-api.com/json
• http://api.ipify.org

This is the end of its installation and execution, and it goes on to the next step: exploitation.

B. BANK CREDENTIALS THEFT

To steal bank credentials, the malware checks the URL address that the infected user accesses through the browser.

To protect itself in its search, if it detects that the user is browsing on an antivirus page or that there are antivirus processes being executed in the system, or even if the computer is connected to another website that might lead to the malware being detected, the malware shows a 404 error with a message indicating that the website is temporarily unavailable.

 Illustration 7. URLs that the malware tries to avoid 

The complete list of URLs that it detects and blocks with the 404 error message are listed below:

• https://www.virustotal.com
• https://www.avast.com
• https://br.malwarebytes.com
• https://www.kaspersky.com
• http://www.mcafeee.com
• http://www.avg.com
• http://www.avira.com
• http://www.norton.com
• http://www.evirus.com.br
• http://virusscan.jotti.org
• http://www.trendmicro.com.br
• http://eset.com.br
• http://www.symantec.com
• http://www.baixaki.com.br/download/avast-free-antivirus-2017.htm
• http://www.baixaki.com.br/dowload/avira-free-antivirus.htm

If it rules out the above list, it goes on to check whether the user is going onto any target URL, to rob the bank credentials. The target URLs are as follows:

• http://www.bancobrasil.com.br
• http://www.bb.com.br
• https://www2.bancobrasil.com.br
• https://internetbanking.caixa.gov.br
• http://www.caixa.gov.br
• https://www.mercadobitcoin.com.br
• *blockchain*
• https://member.neteller.com
• https://www.perfecmoney.is

Regarding the target URL, if the user goes onto one of the Banco do Brasil or Caixa Económica Federal bank pages, the malware behaves differently..

For these cases, the malware checks whether these files exist in the system: 

• LockBB.txt for Banco do Brasil
• LockCef.txt for Caixa Económica Federal

These files are created by the malware when the attacker order to block the access to the online banking site. On this file the malware writes the current datetime (day, month and hour). This data is used to block the access to the banking site for the next 24 hours. If the user tries to access, the message "The page is under maintenance" will be displayed.

The regular expression with the day, month and time that the blocking for the theft will take place is written into the file.

“Dia:(?<Dia>\\d+)\\r\\\nMes:(?<Mes>\\d+)\\r\\nHora:(?<Hora>\\d+)”

When a user tries to gain access to one of the target pages, the malware sends the following information:

• IP Addess
• Machine Name
• Type
• MAC Address
• Target Name

After the notification, the cybercriminal may carry out any of the following actions: 

• Close the connection with the target URL.
• Send the cookies pertaining to the site the user attempted to connect to, generating a file with an sqlite extension.
• Cause the user to be shown a screen requesting they enter the access password.
• Block access to the bank for 24 hours, creating a LockBB.txt or LockCef.txt file.

The malware runs the tasks to begin to behave like the RATQuasar, so that the cybercriminal can take control of the infected machine. This confirms our initial suspicions that this is a modification of that malware.  

For the second case, in which the target URLs are not Banco do Brasil or Caixa Económica Federal, the malware shows a screen with a fake login to try to rob the bank credentials from the infected user and send them to the cybercriminal. If the URL does not coincide with any of those listed among the targets, it checks whether the URL corresponds to any of the following:

• http://mail.terra.com.br
• https://login.ig.com.br/signin
• https://www.mercadobitcoin.com.br/conta/login
• https://blockchain.info/wallet
• https://perfectmoney.is/user/userlogin.asp

If it coincides with one of these, the malware steals the email and password entered by the user, as well as the service the user accessed, and saves them in a file named “E-Vit.txt” that it will use later.

C. INFORMATION THEFT SO IT CAN SPREAD

After the theft has been carried out, the malware’s next task is to spread and infect other users.

It searches for various files with specific extensions, looking for email addresses it can send a spam email to in order to infect other users who are connected to the victim.

This process is carried out as follows:

In the same folder where the malware has copied itself there are 3 folders that it will use in this phase:

• Enviado.txt: file containing a list of emails that have already been sent the spam.
• E-Enviar.txt: file containing a list of emails that the spam will be sent to..
• E-Vit.txt: file containing the access credentials for different email services, which have been stolen from the infected user and will be used to do the spam mailing. 

To do this, it recovers the route information for the following directories:

• Desktop folder
• User’s personal folder 
• C:\\

The malware lists all the files present in each of the above directories and checks whether any of them contain the following extensions:

• Txt
• Doc
• Dat
• Wab
• Xlxs

The malware will add all the email addresses to the “E-Enviar.txt” file, which can be found where the binary is running. When it has completed the search for emails in the victim’s computer, it checks whether the E-enviar.txt and E-Vit.txt files exist. If they are both present, the malware checks that the emails found in E-Enviar.txt are not already present in the Enviado.txt file.

The malware connects with the Spam email template and fills it in with the email addresses it has obtained:

http://lucifer.icejuice.xyz/master/conf/Html.txt

Once the email has been sent to the potential victim, the email address is added to the Enviado.txt file to better track the campaign. 

Finally, the malware notifies the control panel (C&C) of all the email addresses the spam email was sent to. 

D. IOC

IOCS from this campaign: We can see how 3 different Command and Controls (C&C) were identified from the different samples. 

http://lucifer.icejuice.xyz/master/conf/Html.txt

http://fritas.cheddarmcmelt.top/master/conf/Html.txt

http://linux99.giduid.xyz/master/Controle.php

(Versión más actual del QuasarRAT que coincide
con la estructura mostrada al principio del documento)