New CHAVECLOAK Malware Hack Windows Via PDF File

Threat actors have been discovered to be using a new technique for deploying the CHAVECLOAK banking trojan to target users in Brazil.

This trojan is capable of stealing sensitive information related to financial activities. 

The attack vector uses a malicious email with a PDF file which downloads a ZIP file and utilizes DLL side-loading techniques to execute the final malware.

The Command and Control server telemetry of this malware reads that most of the traffic is from Brazil.

CHAVECLOAK Malware Hack Windows

According to the reports shared by Fortinet, the initial attack vector of this banking trojan involves a phishing email that mentions an attachment related to a contract that must be signed using the link in the email.

This link was generated using a free URL link shortener service “Goo.su” which points to a server for downloading a malicious ZIP file.

This ZIP contains an MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi”.

MSI Installer

The malicious “NotafiscalGFGJKHKHGUURTURTF345.msi” is extracted when the ZIP file is decompressed. Decompressing the MSI file further shows the contents of the MSI installer.

The MSI installer contains multiple TXT files along with a DLL file named “Lightshot.dll”.

When compared with the modification dates of the other files inside the MSI file, this DLL file has the latest date which means that it has been recently modified.

Further analysis revealed that the entire configuration had been written in Portuguese.

If installed, the MSI drops these files inside the “%AppData%Skillbrainslightshot5.5.0.7” folder.

The EXE file “Lightshot.exe” is also dropped at the specified folder which deploys DLL sideloading technique to activate the execution of malicious DLL “Lightshot.dll”.

Further, this malicious DLL performs the extraction of sensitive information from the compromised system.

CHAVECLOAK Banking Trojan “Lightshot.dll”

This banking trojan performs multiple operations, including gathering volume and file system information from the specified root directory.

To initiate the malware’s automatic execution, “Lightshot.exe” is added to the registry value, which triggers the malware in turn due to the DLL sideloading attack.

This establishes persistent access to the compromised system. After this, an HTTP server request is made to “hxxp://64[.]225[.]32[.]24/shn/inspecionando.php,” where the system’s geolocation is confirmed whether the victim is inside Brazil. 

CHAVECLOAK performs several actions on the compromised systems such as blocking the victim screen, logging keystrokes, deceptive pop-up windows etc.

Additionally, the malware also focuses on the victim’s activities against specific financial portals, including banks and bitcoins.

Indicators Of Compromise

IP

URLs

• hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip
• hxxps://goo[.]su/FTD9owO

Hostnames

• mariashow[.]ddns[.]net
• comunidadebet20102[.]hopto[.]org

Files:

• 51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4
• 48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028
• 4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
• 131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff
• 8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c
• 634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9
• 2ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e55

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter