Banking Trojan Escelar Infects Thousands In Brazil and the US



Unit 42 for the past three months has been tracking a banking Trojan targeting victims in Brazil and the United States. Escelar originally surfaced in January of this year, and has since had roughly 100,000 instances of attempted infections.

Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks. Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers. These SQL servers are also used for command and control (C2) functionality.

The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.

The malware is able to control banking transactions conducted using Internet Explorer, and harvest email credentials, which are in turn used to spread the malware further.

escelar1

Figure 1. AutoFocus map of victims receiving Escalar Trojan

Infection

Escelar is distributed almost exclusively through phishing emails. A large number of emails were originally seen in the January 2015 period, and more e-mails have continued coming since then at a somewhat slower rate.

escelar2

Figure 2. Graph of sessions carrying Escalar each week in 2015

These emails are often labeled using the current date, and contain a generic message to entice the victim into running the attachment.

escelar3

Figure 3. Example email containing Escelar

The following top file names have been observed in attempted infections against Palo Alto Networks customers. Many of them include resume/curriculum vitae themes using female names.

Name Count
Curriclo_2015.exe 10227
Curriculum_Vitae_Bruna.exe 9110
Curriculum_Fernanda _Paiva.exe 6310
Curriculum_Izadora.exe 4242
Curriclo_Ana_Caroline2015.exe 2435
Seg-via-Boleto.exe 1880
Imprimir_2015.exe 1556
Curriculum_Laura.exe 1547
Curriculu_VItae-2015.exe 1453
Currculo_2015.exe 1428

Escalar Execution – Stage 1

After the victim unzips and executes the attached file, an executable written in .NET will be run. These executables are often obfuscated to thwart reverse engineers and any security controls that may be in place on the victim’s machine.

Important string names within Escelar samples are obfuscated using various cryptographic libraries. We have identified samples using both RijndaelEnhance and TripleDES.

escelar4

Figure 4. Cryptographic function contained in Escelar

escelar5

Figure 5. Encrypted string and decrypted version stored as a comment

This executable has limited functionality, and is only responsible for downloading an additional executable and establishing persistence via the Run registry key.

It begins by generating a random path of 8 alphabetic characters in the %APPDATA% directory. An executable name of 15 random alphabetic characters will hold to a soon-to-be-downloaded file. Escelar then makes a direct connection to a remote Microsoft SQL server and downloads a raw binary file to this local location.

escelar6

Figure 6. Microsoft SQL connection

escelar7

Figure 7. Acquiring raw binary image from Microsoft SQL server

escelar8

Figure 8. Raw binary image

After this file successfully downloads, the following registry key is written to ensure persistence across reboots.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [Computer Name] : [Path to Executable]

Finally, the downloaded malware is executed via a call to Interaction.Shell().

Escelar Execution – Stage 2

The second stage of the Escelar malware family shares many characteristics with the first stage. Both samples make use of direct Microsoft SQL connections, as well as encryption of important strings within the binary. They’re also both written in .NET and are often obfuscated.

This sample is once again another downloader, grabbing a raw binary image from a remote Microsoft SQL server and storing it to the following path:

%TEMP%\\JO[Computer Name][Computer Virtual Memory].exe

escelar9

Figure 9. Stored image in Microsoft SQL server

Finally, the malware is executed via a call to Interaction.Shell().

Escelar Execution – Stage 3

The third stage of the malware contains the banking Trojan itself. Once again this binary is written in .NET and makes direct connections to Microsoft SQL servers. It begins by dropping JCS.Components.NeroBar.dll in the Startup folder. This DLL is used to generate progress bars and is used when the attacker chooses to generate a ‘blocker’ on the victim’s banking webpage, which we discuss later in this section.

The malware proceeds to identify the following DLLs, which are used by various Brazilian banks to prevent malicious activity. The identifier is stored in the Microsoft SQL database in order to alert the attacker as to what plugins are installed.

File Identifier
%ProgramFiles%\\GbPlugin\\gbieh.dll B.B
%ProgramFiles%\\GbPlugin\\gbiehcef.dll C.E.F
%ProgramFiles%\\GbPlugin\\gbiehuni.dll I.T.A
%ProgramFiles%\\GbPlugin\\gbiehabn.dll S.A.N.T.A
%ProgramFiles%\\GbPlugin\\gbiehscd.dll S.I.C.R.E.D
%ProgramFiles%\\Scpad\\scpLIB.dll B.R.A.D.A

The IdPC identifier in the following image is made up of the following data.

  • Computer Name
  • Processor ID
  • HD Serial
  • Physical Memory
  • Virtual Memory

escelar10

Figure 10. Victim infections of Escelar listed in the Database

The malware monitors the victim’s browser activity. In the event they user attempts to navigate to one of the following Brazilian banking websites, the malware takes action.

  • https://internetbanking.caixa.gov.br/SIIBC/index.processa
  • http://www.bradesco.com.br/
  • http://www.bb.com.br/
  • https://www.itau.com.br/
  • https://www.santander.com.br
  • https://www.sicredi.com.br
  • http://www.hsbc.com.br/1/2/br/para-sua-empresa

Should the victim try to open any of these banking websites in a browser other than Internet Explorer, the malware will generate a false error, close the current browser, and re-open the link in Internet Explorer.

escelar11

Figure 11. False error displayed to the victim when viewing a targeted page in Google Chrome

The attacker has the ability to send a number of different commands in the ‘fun’ column of the Microsoft SQL server.

escelar12

Figure 12. Commands being sent to victims

Escalar can accept the commands show below (with their translations).

Command Translation
xclick click
xclick2 click 2
xtexto text
xtextopost text post
xtexto2 text 2
xtextopost2 text post 2
xtexto3 text 3
xtextopost3 text post 3
xmultiplotexto multiple text
xBloq locked
xdesbloq unlocked
xAss1 unknown
xAss2 unknown
xreiniciar reset
xapagartexto delete text
xsetacima up arrow
xsetabaixo down arrow
xtab tab
xtab2 tab 2
xcenter center
xcenter2 center 2
xfecharie ie close
xsenhacert cert password
xtoken token
xcelular cell

These commands allow the attacker to manipulate a victim’s banking web session and perform fraudulent transactions among other functions.

The following screenshot shows an image that is used by the malware in order to trick victims into entering the unique authentication code sent by banks to the victim’s cellular telephone. This data is uploaded to the attackers in order to conduct fraudulent transactions.

escelar13

Figure 13. Escelar tricking a victim into entering the authentication code sent to their cell phone

The following screenshot shows examples of an attacker blocking a victim’s banking web session in Internet Explorer.

escelar14

Figure 14. Blocking of victim’s banking web session

These pages are specific to the bank the victim is using, as we can see in the following second example.

escelar15

Figure 15. Blocking of victim’s banking web session

E-mail Harvesting and Spreading

Escelar includes a component that is responsible for harvesting credentials from the following web services.

  • Gmail
  • Hotmail
  • Webmail (any website containing the string “webmail” in the URL)

These credentials are stored in a remote Microsoft SQL server. The harvested email credentials are then used by the attackers to send additional e-mails containing Escelar. The total sum of emails in the database displayed below indicated that 3,057 emails had been sent from these addresses. The SQL server keeps track of the number of emails sent by each email address.

escelar16

Figure 16. Table containing email addresses and tallies of spam emails sent

By harvesting email credentials from Escelar victims, the malware authors are able to further propagate Escelar in the event a portion of the email senders are blocked.

Conclusion

The Escelar threat has been active for approximately seven months, targeting primarily Brazil- and US-based users. We have collected over 600 variants of to date, with roughly 100,000 attempted infections. The malware provides the attacker with multiple capabilities, including the ability to harvest email credentials and manipulate banking transaction sessions. Additionally, due to the way the malware is architected, it can easily update itself, along with the infrastructure supporting it.

Users located in Brazil and the United States that use Brazilian banking services should be aware of this threat and take necessary precautions against it, such as ensuring that suspicious emails are not opened.

Palo Alto Networks customers using the AutoFocus service can use the Escelar tag to determine if they have been impacted and conduct additional analysis, and customers using WildFire or Traps with WildFire integration are automatically protected against this threat. Organizations should monitor their networks for unexpected outbound Microsoft SQL traffic (App-ID mssql) that may indicate an Escelar infection.

For a list of SHA256 hashes of identified instances of Escelar and identified Microsoft SQL server domains being used by Escelar, please refer to this link.

 

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS