4/3/2023 0 Comments Www sat gob![]() ![]() The external resource injected by the malicious extension contains URL checks to identify which banking page the victim is on. The extension aims to inject an external request to a JavaScript resource into the DOM of the pages visited by the user.įigure 12 – External JS resource injected by malicious extension If the victim opens the Chrome browser after the attacker installs the malicious extension, the MitB attack begins. lnk files to generate persistence in the Windows Startup path and installing the “Seguridad” Google Chrome extension.įigure 5 – Opened full screen via rundll32 (PNG file)įigure 6 – PNG file simulating a bank transferįigure 7 – LNK files dropped in the Startup pathįigure 8 – LNK file loading attacker extensionįigure 9 – Attacker extension dropped in %LOCALAPPDATA% pathįigure 10 – Obfuscated JS file (Seguro.js)įigure 11 – Attacker Google Chrome extension jse file opens the Screenshotfrom202034-58.png file in full screen using rundll32 while dropping the. lnk and Chrome1.lnk: Google Chrome shortcut used by the attacker to generate persistence and load the malicious extension via the –load-extension parameter to perform the Man-in-the-Browser attack.Screenshotfrom202034-58.png: PNG file-type simulating a bank transfer.js: Google Chrome extension developed with obfuscated JavaScript code. json: The manifest file in JSON format contains information about the malicious Google Chrome extension.jse artifact aims to download the following files: jse (JScript Encoded Script Format) type file, that aims to generate persistence and download the artifacts of the fourth stage of the attack.įigure 3 – Schedule task to execute the third stage of the malwareįigure 4 – Third stage of the malware (JSE file) The malware creates a scheduled task to execute the file corresponding to the third stage of infection, which is an obfuscated. hta file, it runs an obfuscated PowerShell script that aims to download and execute the third stage of the malware.įigure 2 – Obfuscated PowerShell script – Second stage of the malware The first malicious artifact identified by SCILabs was feb.hta, downloaded from facturemxmx/feb.hta and corresponds to an HTML template with an embedded VBS-type obfuscated script.įigure 1 – First stage of the malware (HTA file) SCILabs identified, in open sources, the facturamxclub domain simulating to be a billing site from Mexico and when carrying out the investigation we recovered the artifact with which the chain of infection began. Analysis Threat Context of the first campaign analyzed in June 2022 If an attack by this malware is successful, it could cause economic and reputation losses additionally, cybercriminals could misuse the obtained data by leaking or selling it on underground forums or on the black market. ![]() During the infection chain, the attackers could use the droppers identified by SCILabs to download more dangerous malware like ransomware. The main objective of this campaign is to perform a Man-in-The-Browserattack to steal banking information from all types of users. SCILabs carried out multiple investigations to determine if there is any relationship between this malware and other families like Magnant, BokBot, Chaes, and Kronos however, we found no relationship between them.įinally, it is essential to mention that the artifacts identified by SCILabs used in the infection chain have a low detection rate by antivirus solutions in the VirusTotal platform. ![]() ![]() Between the last week of June and the third one of August, SCILabs identified a new malware campaign which is being distributed through phishing emails under the pretext of supposed invoices to perform Man-in-the-Browser attacks using domains such as kawaitravelmexicocom and facturamxclub supplanting the Servicio de Administración Tributaria (SAT) in Mexico and impersonating sites like hxxp//Its main objective is to steal information from users of financial institutions, by injecting code into the Chrome browser, via a malicious extension.ĭuring about five weeks, SCILabs has continued monitoring activities and identified mainly two variants of this campaign that, due to its characteristics, we named BlackDog. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |