Ousaban: Personal photograph assortment hidden in a CABinet

One other in our occasional collection demystifying Latin American banking trojans

Ousaban is a Latin American banking trojan lively solely in Brazil. ESET has been tracking this malware household since 2018. In widespread with most different LATAM banking trojans, Ousaban makes use of overlay home windows to steal credentials and extra from financial establishments. Nevertheless, in contrast to most different LATAM banking trojans, Ousaban’s developers have prolonged using overlay windows to steal credentials from widespread regional e mail providers. In this installment of our collection, we look at its foremost features and lots of connections to other Latin American banking trojan families.

Traits

Ousaban is written in Delphi, as are the vast majority of the other Latin American banking trojans ESET is monitoring. And, as do lots of them, Ousaban exhibits indicators of lively and continuous improvement.

The identify ESET assigned to this household is a portmanteau of two phrases – “ousadia”, which suggests “boldness” in Portuguese, and “banking trojan”. The rationale for such a reputation is that for a really very long time, Ousaban was distributed alongside the pictures (a few of them obscene) shown in Figure 1. In the newest campaigns distributing Ousaban, this is not the case.

Figure 1. Numerous pictures distributed alongside the Ousaban banking trojan

Ousaban is also called Javali, a reputation assigned by Kaspersky. A current article about Ousaban may be found here. ESET has also been capable of attribute Ousaban to the campaigns described in this blogpost from 2018. Regardless that some sources claim Ousaban is lively in Europe, ESET has never observed any marketing campaign spreading this banking trojan outdoors of Brazil.

Ousaban protects its executables with either Themida or Enigma binary obfuscators. Additionally, most EXEs are enlarged, using binary padding, to roughly 400 MB, possible in an effort to evade detection and automated processing.

Most up-to-date Ousaban variants include a string table to hold their strings, storing this desk in their .rsrc sections. One of the assets incorporates a zlib-compressed record of strings delimited by newline characters.

Its backdoor capabilities are very similar to a typical Latin American banking trojan – simulating mouse and keyboard actions and logging keystrokes. The newest variants communicate with C&C servers utilizing RealThinClient – a protocol additionally used by Grandoreiro.

The standard Latin American banking trojan attacks customers of monetary establishments utilizing overlay windows crafted specifically for its targets and Ousaban is not any exception. Apparently although, its targets embrace several e-mail providers that it has overlay windows ready for as properly, as illustrated in Determine 2.

Determine 2. Overlay window design for the UOL e-mail service

To realize persistence, Ousaban both creates a LNK file or a easy VBS loader within the startup folder, or it modifies the Windows registry speed key.

Distribution and execution

Ousaban is distributed mainly by means of phishing emails (such as the one in Figure three). The menace actor behind Ousaban cycles by means of multiple distribution chains. These chains share some widespread characteristics, mainly:

  • DLL aspect-loading is used to execute a binary payload
  • CAB archives are typically used as an alternative of ZIP
  • A configuration file distributed inside an archive with one stage is required by the subsequent stage
  • An injector, distinctive to Ousaban, could also be used

Determine 3. Current spam e-mail distributing Ousaban (a tough translation is offered on the best)

MSI with JavaScript

This distribution chain, illustrated in Figure four, is sort of simple. The victim is misled into executing an MSI hooked up to the phishing e mail. When executed, the MSI launches an embedded JavaScript downloader that downloads a ZIP archive and extracts its contents. It then executes the official software, which aspect-masses the Ousaban banking trojan.

Figure four. Simple Ousaban distribution chain

Multistage MSI

Lately, ESET has observed a new distribution chain spreading Ousaban massively. It is rather more difficult than the one described above. The entire process is illustrated in Determine 5.

The first two levels are virtually equivalent. In both, the core of the stage is contained in an archive (ZIP or CAB) and incorporates:

  • A reputable software
  • An encrypted injector
  • An encrypted downloader
  • An encrypted configuration file
  • Official information

The reliable software, when executed, aspect-masses the injector. The injector locates, decrypts and executes the downloader. The downloader decrypts the configuration file to obtain a URL resulting in a distant configuration. The distant configuration accommodates a URL resulting in the subsequent stage archive. The downloader downloads the subsequent stage archive, extracts its contents and executes the reliable software.

The final stage is barely totally different, as it decrypts and executes the precise Ousaban banking trojan as an alternative of a downloader. The third configuration file leads to a distant configuration with C&C server IP tackle and port. The archive with the final stage incorporates another malware-related file – a help module that alters numerous settings of the sufferer’s machine. Lastly, the archives for all three levels embrace further information – a single official executable within the first-stage archive, 14 official information within the second-stage archive, and 13 reputable information in the third-stage archive plus an embedded archive containing an extra 102 professional information.

Determine 5. Ousaban’s complicated distribution chain

Help module

Ousaban masses this module to make it easier for the menace actor to hook up with the victim’s machine. It primarily:

  • Modifies the RDP settings to make use of RDPWrap, a utility to permit a number of RDP connections to Residence editions of the Home windows OS
  • Modifies firewall settings to permit all RDP connections
  • Creates a brand new account with administrative privileges

The module incorporates the RDPWrap binaries stored in its .rsrc part. It then modifications the RDP settings instantly in the Windows registry at:

  • HKLMSYSTEMCurrentControlSetServicesTermService
  • HKLMSYSTEMCurrentControlSetControlTerminal Server

The module then uses netsh.exe to switch the Home windows firewall to allow all TCP and UDP visitors directed to port 3389, the usual port for RDP. Finally, it creates a new account Administrat0r with administrative privileges. We hypothesize that the menace actor needs to have a second solution to access the victim’s machine; the menace actor is then not restricted by the capabilities of the Ousaban banking trojan and may perform any malicious exercise.

Cryptography

Ousaban utilizes three cryptographic schemes general. Its strings are encrypted with an algorithm utilized by the vast majority of Latin American banking trojans we now have analyzed (we have now previously described it in detail here). All communications between Ousaban and its C&C server are encrypted using the usual AES cipher with a hardcoded key.

The final algorithm is used in the beforehand talked about injector specific to this family. We offer a Python implementation in Determine 6.

Figure 6. Algorithm used by Ousaban’s injector to decrypt its payloads

Remote configuration

Ousaban depends on remote configuration to obtain its next stage URLs and the C&C tackle and port to make use of. Ousaban used to retailer its distant configuration on YouTube, just like Casbaneiro, however these days it has started utilizing Google Docs as an alternative.

The remote configuration is in JSON format with the values being encrypted by the identical algorithm used for strings, however with a special key. The fields have the next which means:

  • host = C&C domain
  • link = next stage URL
  • porta = C&C port or 0 (the default HTTP port 80 is then used)
  • vers = Ousaban model

Examples of the distant configuration are offered in Determine 7 and Determine 8.

Determine 7. Ousaban distant configuration on YouTube

Figure eight. Ousaban remote configuration on Google Docs

Similarities with other LATAM banking trojans

We now have already talked about some similarities between Ousaban and other Latin American banking trojans previously analyzed in this collection (like the identical string decryption algorithm). During our analysis, we discovered further hyperlinks to the opposite households, mainly:

  • Some Ousaban downloaders include the same string obfuscation code as Amavaldo
  • Ousaban has been distributed by the identical malicious ads as Mispadu up to now
  • The JavaScript information it uses are just like Vadokrist, Mekotio, Casbaneiro and Guildma
  • The PowerShell information it sometimes uses for distribution (except for the current methods described on this blogpost) are just like Amavaldo, Casbaneiro and Mekotio

We analyzed the apparently close cooperation between these malware households in depth in our white paper introduced on the Virus Bulletin 2020 convention.

Conclusion

In this installment of our collection, we looked at Ousaban, a Latin American banking trojan concentrating on solely Brazil. This malware family has been lively since at the least 2018 and shares typical traits of one of these menace – it’s written in Delphi, accommodates backdoor performance and assaults utilizing overlay windows.

We have now coated its commonest features, distribution and execution strategies and the construction of its distant configuration. We also discovered a number of leads that recommend Ousaban is linked to some other Latin American banking trojans.

For any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can be present in our GitHub repository.

Indicators of Compromise (IoCs)

Hashes

SHA-1 Description ESET detection identify
C52BC5B0BDFC7D4C60DF60E88835E3145F7FB34F Ousaban banking trojan Win32/Spy.Ousaban.G
D04ACFAF74861DDC3B12E75658863DA65C03013F Ousaban JS downloader JS/TrojanDownloader.Banload.AAP
9A6A4BF3B6E974E367982E5395702AFF8684D500 Ousaban JS downloader JS/TrojanDownloader.Banload.AAP
3E8A0B6400F2D02B6B8CD917C279EA1388494182 Ousaban MSI downloader Win32/Spy.Ousaban.W
6946BFB8A519FED8EC8C30D9A56619F4E2525BEA Ousaban injector Win32/Spy.Ousaban.W
E5DD2355E85B90D2D648B96C90676604A5C3AE48 Ousaban help module Win32/Spy.Ousaban.AB

Abused respectable purposes

Instance SHA-1 EXE identify DLL identify
BA5493B08354AEE85151B7BBD15150A1C3F03D1D Avira.SystrayStartTrigger.exe Avira.OE.NativeCore.dll
7F6C820B00FC8C628E2420C388BBB9096A547DAA AudioGrabber.exe StarBurn.dll
C5D5CF1B591C40344B20370C5EE5275356D312EC PlGen.exe bass_fx.dll
53045B8047CED049BBC7EBCB3D3299D2C465E8B9 BlazeDVD.exe SkinScrollBar.dll
A6118D354D512DC29965E368F6C78AA3A42A27AD ImageGrabber.exe StarBurn.dll
F9C71277CF05738275261D60A9E938CBA7232E0D nvsmartmaxapp.exe nvsmartmax.dll

Current configuration file URLs

https://docs.google[.]com/document/d/1o9MlOhxIJq9tMOuUHJiw2eprQ-BGCA_ERnbF54dZ25w/edit
https://docs.google[.]com/document/d/1nQqifeYFsCcI7m-L1Y1oErkp50c-y670nfk7NTKOztg/edit
https://docs.google[.]com/document/d/13A6EBLMOOdvSL3u6IfyrPWbYREXNRVdDTiKzC6ZQx7U/edit
https://docs.google[.]com/doc/d/1UiuqrzI_rrtsJQHqeSkp0sexhwU_VSje8AwS-U6KBPk/edit
https://docs.google[.]com/document/d/1VKxF3yKbwQZive-ZPCA4dAU1zOnZutJxY2XZA0YHa3M/edit
https://docs.google[.]com/document/d/19bXTaiFdY5iUqUWXl92Js7i9RoZSLJqcECgpp_4Kda4/edit
https://docs.google[.]com/document/d/1DDDmJzBVcNWhuj8JMRUVb7JlrVZ5kYBugR_INSS96No/edit
https://docs.google[.]com/doc/d/1UbfOcHm-T9GCPiitqDRh5TNwZRNJ8_miEpLW-2ypU-I/edit
https://docs.google[.]com/doc/d/1d1903AvDBYgOo0Pt9xBBnpCHwSerOpIi4l1b6M4mbT4/edit
https://docs.google[.]com/doc/d/1JLuJKoxcd0vRqut8UeBjFJXzMDQ9OiY2ItoVIRq6Gw8/edit
https://docs.google[.]com/doc/d/1EOwVDlYPV3gE7PSnLZvuTgUQXvOSN9alyN5aMw7bGeI/edit
https://docs.google[.]com/document/d/18sc6rZjk529iYF2iBTsmuNXvqDqTBSH45DhSZpuLv_U/edit

MITRE ATT&CK methods

Notice: This table was constructed using version 8 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Useful resource Improvement T1583.001 Purchase Infrastructure: Domains Ousaban operators register domains for use as C&C servers.
T1587.001 Develop Capabilities: Malware Ousaban is operated by the identical group that develops it.
Initial Entry T1566.001 Phishing: Spearphishing Attachment Ousaban’s preliminary downloader is most commonly distributed as a spam attachment.
Execution T1059.001 Command and Scripting Interpreter: PowerShell Ousaban makes use of PowerShell in some distribution chains.
T1059.003 Command and Scripting Interpreter: Home windows Command Shell Ousaban uses the cmd.exe to execute the authentic purposes that aspect-load the primary Ousaban payload.
T1059.007 Command and Scripting Interpreter: JavaScript/JScript Ousaban makes use of JavaScript in some distribution chains.
T1204.002 Consumer Execution: Malicious File Ousaban depends on the sufferer to execute the distributed MSI file.
Persistence T1098 Account Manipulation Ousaban registers a new native administrator account on the victim’s machine.
T1547.001 Boot or Logon Autostart Execution: Registry dash Keys / Startup Folder Ousaban achieves persistence using the race key or startup folder.
Defense Evasion T1140 Deobfuscate/Decode Information or Info Ousaban payloads and strings are encrypted.
T1574.002 Hijack Execution Circulate: DLL Aspect-Loading Ousaban is usually executed by this system.
T1562.001 Impair Defenses: Disable or Modify Instruments Ousaban modifies the RDP settings of the victim’s machine.
T1562.004 Impair Defenses: Disable or Modify System Firewall Ousaban modifies Windows firewall settings.
T1027.001 Obfuscated Information or Info: Binary Padding Ousaban incessantly makes use of binary padding.
T1027.002 Obfuscated Information or Info: Software program Packing Ousaban binaries are protected by Themida or Enigma packers.
T1218.007 Signed Binary Proxy Execution: Msiexec Ousaban uses the MSI format for execution.
Credential Access T1056.001 Enter Capture: Keylogging Ousaban can capture keystrokes.
Discovery T1010 Software Window Discovery Ousaban seems to be for bank- and e mail-associated home windows based mostly on their window names and titles.
T1518.001 Software program Discovery: Security Software program Discovery Ousaban collects details about the security software installed on the victim’s machine.
T1082 System Info Discovery Ousaban collects primary information about the sufferer’s machine, resembling pc identify and Windows version.
T1113 Display Seize Ousaban can take screenshots.
Command and Control T1132.002 Knowledge Encoding: Non-Commonplace Encoding Ousaban makes use of RealThinClient that provides non-commonplace encryption.
T1219 Remote Access Software Ousaban installs RDPWrap on the sufferer’s machine.
Exfiltration T1041 Exfiltration Over C2 Channel Ousaban exfiltrates knowledge by way of C&C server.

Translate »