In recent years, an increase in many banking trojans developed by attackers in Latin American has been detected, in the same way, that their implementations have become more sophisticated as we will see from the recently detected findings.
In this article, we are going to talk about a Windows banking trojan dubbed Javali by the Karsperky research team, and Ousaban by its counterpart at ESET, which was first seen in November 2017, and which targets Latin America.
Javali/Ousaban MSI downloader
Specifically, and according to various investigations, Javali focuses on clients of financial institutions in Brazil, however, some sources found campaigns targeting entities in other destinations such as Mexico. This is the case, for example, of the investigation carried out by the cybersecurity company Kaspersky.
Characteristics and Distribution
Written in Delphi, a programming language that, as we already know, is very popular among Brazilian malware, it shares other characteristics with families of banking trojans such as overlay or backdoor functionality.
Regarding its distribution, it is common for Ousaban or Javali to be distributed through spam emails that pretend to be official communications, that is, through phishing emails. As we will see, this Latin American banking trojan bears similarities to other malware families such as Vadokrist, Bizarro, Amavaldo, or Casbaneiro.
How It Operates
This malware, which for a long time was distributed together with private images as indicated in the ESERT report, consists of several stages that we will look at below. When the user receives the phishing email and clicks on the URL that appears in the message, the download of a compressed file located somewhere on the internet begins, often in Google or AWS cloud services, among others.
Recent configuration file addresses. Source: ESET
This ZIP contains an MSI file that, when executed, will put all of the trojan's machinery into motion. This file contains a file written in a script language, usually Visual Basic Script, which, when executed, will carry out various actions.
On the one hand, it will be in charge of facilitating the persistence of the trojan on the infected computer and, on the other, it will download various files from a remote server that will be necessary to continue with the rest of the process.
Alongside these files, it also common for there to be legitimate applications that are vulnerable to DLL Hijacking, and it is precisely this fact that will ultimately lead the banking trojan to be executed. This entire process coexists with multiple layers of obfuscation to hide malicious activity and make analysis and detection difficult by antivirus engines and research teams.
New Distribution Chains
Although the operation and distribution described above have generally stayed the same in various investigations, in the last month a mass distribution campaign of this banking trojan has been detected that differs significantly from all the other findings to date:
Source: ESET https://twitter.com/ESETresearch/status/1376490532445294594
This time the process is more elaborate and some complexity is added as we can see in the following graph:
Ousaban complex distribution chain. Source: ESET
This time we start with a first legitimate application that laterally loads a DLL, which decrypts and executes the downloader.
This downloader in turn will decrypt a configuration file that we find in the ZIP of the first stages, and that contains a URL where the necessary configuration information for the next stage is found. Specifically, it contains a URL from which a new file can be downloaded through which another legitimate application will end up being run.
If we look at the graph above, we see that the final phase is somewhat different from the rest. In this case, a third legitimate application will laterally load the injector, but this time it does not access the downloader, but rather a sample of the banking trojan.
On the other hand, the configuration file involved in this stage contains different information from that found in the previous ones. This time we find the IP address and port of the control server. In addition to this, a utility module is included with functions that allow changes to be made to the configuration of the infected computer.
Javali, also known as Ousaban, baptized in this way by the companies Kaspersky and ESET, is a banking trojan that mainly affects users of Brazilian banking entities, although some sources have also found signs of this malware in campaigns targeting clients of Mexican banks. This trojan bears similarities to other malware families such as Vadokrist, Amavaldo, or Casbaneiro, all written in the Delphi programming language.
As for its own characteristics, it operates in a fairly common way and did not present any notable new developments.
However, new distribution chains have recently been detected where greater complexity is observed in the implementation of this trojan.
This is further proof of something we mentioned at the beginning of this article, which is that, in recent years, an increase in both the volume and complexity of many banking trojans developed in Latin America has been detected.