-
MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
-
SASEZero trust secure access for users, locations, and devices
-
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Chrome Extension Banking Trojan Targeting Mexico
August 30, 2022 by Blake Eakin
Chrome Extension Banking Trojan Targeting Mexico
Summary
On August 20, 2022, the CRU observed a banking trojan delivered via a .zip file with a JavaScript payload. This script then downloaded several files that created persistence on the machine in the form of shortcuts that attempt to open the Google Chrome browser loaded with a planted extension. The goal of this malware was to steal banking credentials, specifically targeting banking logon pages from Mexico, and track victim browsing activity.
Analysis
The .zip archive, SAT_Policy_Tributario.zip, contained a JavaScript file expected to be run by the user. The script is heavily obfuscated, but after deobfuscation its operation is fairly simple. It runs five structurally similar functions that each use WScript and ActiveX to download and plant various files.
Deobfuscated example of function from SAT_Policy_Tributario.js
In order, the script downloads an image, Screenshotfrom202034-58.png, into the directory configured to the %tmp% environment variable and then opens it with cmd /c call %tmp%/Screenshotfrom20234-58.png to make the user believe that they have just opened an image. Meanwhile, the script downloads two .lnk files and places them in the Startup folder as Chrome.lnk and Chrome1.lnk. Then, a manifest.json and another JavaScript file named seguro.js are downloaded and placed into %localappdata%. All files were downloaded from facturamx[.]club, which is geofenced so that it will serve a 403 status if your IP is not geolocated in Mexico. Except for the .png, all downloaded files were named initially with .jpg extensions before being written with their actual extensions.
On the user’s next logon, the .lnk files will be executed. Both files attempt to target legitimate Google Chrome installations with the added command line argument of –load-extension=%localappdata%. The only difference between either is that one targets Chrome in Program Files (x86) while the other targets it in Program Files. The effect is, if Chrome is installed, it will be launched on startup with seguro.js loaded as an extension.
.lnk shortcut information for Chrome.lnk
Seguro.js is also heavily obfuscated in the same manner as SAT_Policy_Tributario.js and simply injects a script on every page visited from https://facturacionmexico[.]net/8vZ9d1-ad.js. The injected JavaScript takes the URL of the current page the user is visiting and compares it to the URLs of logon portals for a variety of Mexican banking services. If a match is found, scripts crafted specifically for that logon page are injected with the goal of stealing the user’s credentials. If a match is not found, then a hidden iframe is created on the page that opens https://facturacionmexico[.]net/choa.php. This will track and collect analytics about the user’s other activity as they navigate across the browser using StatCounter.
Deobfuscated seguro.js injection.
Example logon portal injection.
Attribution
We were not able to attribute this to any previously named malware or campaign. The same activity with a different chain of infection had been reported in a series of tweets from June 16, 2022 (https://twitter.com/malwrhunterteam/status/1537424206434119680). The domain used for several of the credential stealing injections was also mentioned in a chain of tweets attributing it to Osiris or Kronos dating back to March 2021, but the TTPs seen in this incident and those typical of these banking trojans were different enough that we could not claim enough confidence in this attribution. It is possible this actor was using an Osiris strain at one time and moved on to using a different method. (https://twitter.com/benkow_/status/1369594973524553730).
Detections
The following detection signatures that trigger on the events in this report are available in the ConnectWise CRU collection in the Perch Marketplace:
- [CRU][Windows] Script Run from Archive File (.zip, .7z, .iso) via wscript.exe
- [CRU][Windows] Suspicious Process Write to Startup
MITRE ATT&CK
TA0002 - Execution
- T1204.002 - User Execution: Malicious File
- T1059.007 - Command and Scripting Interpreter: JavaScript
TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1176 - Browser Extensions
TA0009 - Collection
- T1056.002 - Input Capture: GUI Input Capture
IOCs
File Hashes:
146e7188a94d0a810d48e4cfb9ce32e7de786622e1c3b06903b9e076838aefa1 SAT_Policy_Tributario.zip
bad1b75141114bb97dd480108e57fd1e7db28b9946f34d24dd4bee09224efafc SAT_Policy_Tributario.js
96f1851ecf609fd1086404cbdba31e7a1d430c20e9fcab4ca04acaa8cc619e2b Screenshotfrom202034-58.png
a7e3426c840ac4d3e536f541142240804d642865efb5612fe11a110c07ae6ca9 Chrome.lnk
2a15748646a93b137cc4832c9c556b22d12abd555db46694c614897962a85c51 Chrome1.lnk
c2e3434588e1d23b3a7e68198e8a9d53fb91f019fd749205a579f985a16f68e9 manifest.json
06ef9e6803f74a113146e41d988f74a4b83a35a86ff5cc7a991f1dd4c1a2c0e7 seguro.js
Infrastructure Domains and IPs:
hxxps://facturamx[.]club
hxxps://facturacionmexico[.]net
hxxps://dlxfreight[.]bid/
hxxps://xscoctiiabanrk-com-nx[.]43round[.]solar/
hxxps://bbv4netcash-com-mx[.]ulcer39[.]solar/
hxxps://www-1bbva-com-mx[.]8gemir[.]asia/
hxxps://escandinavo37[.]asia/
hxxps://11carrito[.]fun/
hxxps://prnetbmex[.]buzz
hxxps://bnrt[.]2guillotine[.]works/
hxxps://mx[.]stomach8[.]works
hxxps://netflik[.]digital/
hxxps://monex-com-mx[.]10butt[.]gifts
hxxps://m1fiel-com-mx[.]7jazz[.]fun
hxxps://banbajio-com-mx[.]anuncios24[.]today/
hxxps://santa[.]nononoelcoconoxyz[.]xyz
172.67.190[.]105
104.21.19[.]221
159.89.139[.]107
8.9.15[.]28
104.21.43[.]19
172.67.215[.]219
172.67.204[.]49
104.21.22[.]104
172.67.223[.]46
104.21.38[.]140
172.67.188[.]208
104.21.8[.]233
172.67.171[.]43
104.21.39[.]181
172.67.131[.]27
104.21.3[.]189
172.67.149[.]82
104.21.63[.]186
104.21.8[.]114
URLs targeted:
- hxxps://eactinver[.]actinver[.]com/
- hxxps://bancaporinternet[.]bb[.]com[.]mx/
- hxxps://bancadigital[.]monex[.]com[.]mx/PortalServicios/
- hxxps://www[.]santander[.]com[.]mx/MiSitioPrivado/acceso/codigo-cliente
- secure[.]hsbcnet[.]com/uims/dl/DSP_AUTHENTICATION
- hxxps://www[.]bancanetempresarial[.]banamex[.]com[.]mx/bestbanking/spanishdir/bankmain.htm
- hxxps://see[.]sbi[.]com[.]mx/invernet2000/
- hxxps://www[.]ieb[.]com[.]mx/NB/
- hxxps://www[.]security.online-banking[.]hsbc[.]com[.]mx/gsa/SECURITY_LOGON_PAGE/
- hxxps://bancanet[.]banamex[.]com/
- hxxps://enlace[.]santander[.]com[.]mx/LOGBET_ENS/
- hxxps://www.scotiabank[.]com[.]mx/
- bbvanetcash[.]mx/local_pibee/login_pibee.html
- bbva[.]mx
- multiva[.]com[.]mx
- hxxps://abcbxi[.]abccapital[.]com[.]mx/abcbxi/
- hxxps://www[.]banamex[.]com
Several that are commented out:
- banorte[.]com
- hxxps://www[.]santander[.]com[.]mx/MiSitioPrivado/acceso/codigo-cliente
- hxxps://bancaporinternet[.]bb[.]com[.]mx/
- hxxps://www[.]mifel[.]net/
- hxxps://bancadigital[.]monex[.]com.mx/PortalServicios/
- hxxps://see[.]sbi[.]com[.]mx/invernet2000/
- hxxps://bancanet[.]banamex[.]com/
- hxxps://www[.]netflix[.]com
- hxxps://www[.]bancanetempresarial[.]banamex[.]com[.]mx/bestbanking/spanishdir/bankmain.htm
- hxxps://bancanetempresarial[.]citibanamex[.]com[.]mx/
- banorte[.]com