One other in our occasional collection demystifying Latin American banking trojans
Ousaban is a Latin American banking trojan lively solely in Brazil. ESET has been tracking this malware household since 2018. In widespread with most different LATAM banking trojans, Ousaban makes use of overlay home windows to steal credentials and extra from financial establishments. Nevertheless, in contrast to most different LATAM banking trojans, Ousaban’s developers have prolonged using overlay windows to steal credentials from widespread regional e mail providers. In this installment of our collection, we look at its foremost features and lots of connections to other Latin American banking trojan families.
Ousaban is written in Delphi, as are the vast majority of the other Latin American banking trojans ESET is monitoring. And, as do lots of them, Ousaban exhibits indicators of lively and continuous improvement.
The identify ESET assigned to this household is a portmanteau of two phrases – “ousadia”, which suggests “boldness” in Portuguese, and “banking trojan”. The rationale for such a reputation is that for a really very long time, Ousaban was distributed alongside the pictures (a few of them obscene) shown in Figure 1. In the newest campaigns distributing Ousaban, this is not the case.
Ousaban is also called Javali, a reputation assigned by Kaspersky. A current article about Ousaban may be found here. ESET has also been capable of attribute Ousaban to the campaigns described in this blogpost from 2018. Regardless that some sources claim Ousaban is lively in Europe, ESET has never observed any marketing campaign spreading this banking trojan outdoors of Brazil.
Ousaban protects its executables with either Themida or Enigma binary obfuscators. Additionally, most EXEs are enlarged, using binary padding, to roughly 400 MB, possible in an effort to evade detection and automated processing.
Most up-to-date Ousaban variants include a string table to hold their strings, storing this desk in their .rsrc sections. One of the assets incorporates a zlib-compressed record of strings delimited by newline characters.
Its backdoor capabilities are very similar to a typical Latin American banking trojan – simulating mouse and keyboard actions and logging keystrokes. The newest variants communicate with C&C servers utilizing RealThinClient – a protocol additionally used by Grandoreiro.
The standard Latin American banking trojan attacks customers of monetary establishments utilizing overlay windows crafted specifically for its targets and Ousaban is not any exception. Apparently although, its targets embrace several e-mail providers that it has overlay windows ready for as properly, as illustrated in Determine 2.
To realize persistence, Ousaban both creates a LNK file or a easy VBS loader within the startup folder, or it modifies the Windows registry speed key.
Distribution and execution
Ousaban is distributed mainly by means of phishing emails (such as the one in Figure three). The menace actor behind Ousaban cycles by means of multiple distribution chains. These chains share some widespread characteristics, mainly:
- DLL aspect-loading is used to execute a binary payload
- CAB archives are typically used as an alternative of ZIP
- A configuration file distributed inside an archive with one stage is required by the subsequent stage
- An injector, distinctive to Ousaban, could also be used
Lately, ESET has observed a new distribution chain spreading Ousaban massively. It is rather more difficult than the one described above. The entire process is illustrated in Determine 5.
The first two levels are virtually equivalent. In both, the core of the stage is contained in an archive (ZIP or CAB) and incorporates:
- A reputable software
- An encrypted injector
- An encrypted downloader
- An encrypted configuration file
- Official information
The reliable software, when executed, aspect-masses the injector. The injector locates, decrypts and executes the downloader. The downloader decrypts the configuration file to obtain a URL resulting in a distant configuration. The distant configuration accommodates a URL resulting in the subsequent stage archive. The downloader downloads the subsequent stage archive, extracts its contents and executes the reliable software.
The final stage is barely totally different, as it decrypts and executes the precise Ousaban banking trojan as an alternative of a downloader. The third configuration file leads to a distant configuration with C&C server IP tackle and port. The archive with the final stage incorporates another malware-related file – a help module that alters numerous settings of the sufferer’s machine. Lastly, the archives for all three levels embrace further information – a single official executable within the first-stage archive, 14 official information within the second-stage archive, and 13 reputable information in the third-stage archive plus an embedded archive containing an extra 102 professional information.
Ousaban masses this module to make it easier for the menace actor to hook up with the victim’s machine. It primarily:
- Modifies the RDP settings to make use of RDPWrap, a utility to permit a number of RDP connections to Residence editions of the Home windows OS
- Modifies firewall settings to permit all RDP connections
- Creates a brand new account with administrative privileges
The module incorporates the RDPWrap binaries stored in its .rsrc part. It then modifications the RDP settings instantly in the Windows registry at:
- HKLMSYSTEMCurrentControlSetControlTerminal Server
The module then uses netsh.exe to switch the Home windows firewall to allow all TCP and UDP visitors directed to port 3389, the usual port for RDP. Finally, it creates a new account Administrat0r with administrative privileges. We hypothesize that the menace actor needs to have a second solution to access the victim’s machine; the menace actor is then not restricted by the capabilities of the Ousaban banking trojan and may perform any malicious exercise.
Ousaban utilizes three cryptographic schemes general. Its strings are encrypted with an algorithm utilized by the vast majority of Latin American banking trojans we now have analyzed (we have now previously described it in detail here). All communications between Ousaban and its C&C server are encrypted using the usual AES cipher with a hardcoded key.
The final algorithm is used in the beforehand talked about injector specific to this family. We offer a Python implementation in Determine 6.
def decrypt(knowledge, key):
data_dec = str()
key_len = len(key)
for i, c in enumerate(knowledge):
if i % 2 != zero:
data_dec += chr(key[i % key_len ^ c ^ ((key_len – (i & key_len)) & 0xFF)])
data_dec += chr(key[i % key_len] ^ c ^ (i & 0xFF))
Figure 6. Algorithm used by Ousaban’s injector to decrypt its payloads
Ousaban depends on remote configuration to obtain its next stage URLs and the C&C tackle and port to make use of. Ousaban used to retailer its distant configuration on YouTube, just like Casbaneiro, however these days it has started utilizing Google Docs as an alternative.
The remote configuration is in JSON format with the values being encrypted by the identical algorithm used for strings, however with a special key. The fields have the next which means:
- host = C&C domain
- link = next stage URL
- porta = C&C port or 0 (the default HTTP port 80 is then used)
- vers = Ousaban model
Examples of the distant configuration are offered in Determine 7 and Determine 8.
Similarities with other LATAM banking trojans
We now have already talked about some similarities between Ousaban and other Latin American banking trojans previously analyzed in this collection (like the identical string decryption algorithm). During our analysis, we discovered further hyperlinks to the opposite households, mainly:
- Some Ousaban downloaders include the same string obfuscation code as Amavaldo
- Ousaban has been distributed by the identical malicious ads as Mispadu up to now
- The PowerShell information it sometimes uses for distribution (except for the current methods described on this blogpost) are just like Amavaldo, Casbaneiro and Mekotio
We analyzed the apparently close cooperation between these malware households in depth in our white paper introduced on the Virus Bulletin 2020 convention.
In this installment of our collection, we looked at Ousaban, a Latin American banking trojan concentrating on solely Brazil. This malware family has been lively since at the least 2018 and shares typical traits of one of these menace – it’s written in Delphi, accommodates backdoor performance and assaults utilizing overlay windows.
We have now coated its commonest features, distribution and execution strategies and the construction of its distant configuration. We also discovered a number of leads that recommend Ousaban is linked to some other Latin American banking trojans.
For any inquiries, contact us at firstname.lastname@example.org. Indicators of Compromise can be present in our GitHub repository.
Indicators of Compromise (IoCs)
|SHA-1||Description||ESET detection identify|
|C52BC5B0BDFC7D4C60DF60E88835E3145F7FB34F||Ousaban banking trojan||Win32/Spy.Ousaban.G|
|D04ACFAF74861DDC3B12E75658863DA65C03013F||Ousaban JS downloader||JS/TrojanDownloader.Banload.AAP|
|9A6A4BF3B6E974E367982E5395702AFF8684D500||Ousaban JS downloader||JS/TrojanDownloader.Banload.AAP|
|3E8A0B6400F2D02B6B8CD917C279EA1388494182||Ousaban MSI downloader||Win32/Spy.Ousaban.W|
|E5DD2355E85B90D2D648B96C90676604A5C3AE48||Ousaban help module||Win32/Spy.Ousaban.AB|
Abused respectable purposes
|Instance SHA-1||EXE identify||DLL identify|
Current configuration file URLs
MITRE ATT&CK methods
Notice: This table was constructed using version 8 of the MITRE ATT&CK framework.
|Useful resource Improvement||T1583.001||Purchase Infrastructure: Domains||Ousaban operators register domains for use as C&C servers.|
|T1587.001||Develop Capabilities: Malware||Ousaban is operated by the identical group that develops it.|
|Initial Entry||T1566.001||Phishing: Spearphishing Attachment||Ousaban’s preliminary downloader is most commonly distributed as a spam attachment.|
|Execution||T1059.001||Command and Scripting Interpreter: PowerShell||Ousaban makes use of PowerShell in some distribution chains.|
|T1059.003||Command and Scripting Interpreter: Home windows Command Shell||Ousaban uses the cmd.exe to execute the authentic purposes that aspect-load the primary Ousaban payload.|
|T1204.002||Consumer Execution: Malicious File||Ousaban depends on the sufferer to execute the distributed MSI file.|
|Persistence||T1098||Account Manipulation||Ousaban registers a new native administrator account on the victim’s machine.|
|T1547.001||Boot or Logon Autostart Execution: Registry dash Keys / Startup Folder||Ousaban achieves persistence using the race key or startup folder.|
|Defense Evasion||T1140||Deobfuscate/Decode Information or Info||Ousaban payloads and strings are encrypted.|
|T1574.002||Hijack Execution Circulate: DLL Aspect-Loading||Ousaban is usually executed by this system.|
|T1562.001||Impair Defenses: Disable or Modify Instruments||Ousaban modifies the RDP settings of the victim’s machine.|
|T1562.004||Impair Defenses: Disable or Modify System Firewall||Ousaban modifies Windows firewall settings.|
|T1027.001||Obfuscated Information or Info: Binary Padding||Ousaban incessantly makes use of binary padding.|
|T1027.002||Obfuscated Information or Info: Software program Packing||Ousaban binaries are protected by Themida or Enigma packers.|
|T1218.007||Signed Binary Proxy Execution: Msiexec||Ousaban uses the MSI format for execution.|
|Credential Access||T1056.001||Enter Capture: Keylogging||Ousaban can capture keystrokes.|
|Discovery||T1010||Software Window Discovery||Ousaban seems to be for bank- and e mail-associated home windows based mostly on their window names and titles.|
|T1518.001||Software program Discovery: Security Software program Discovery||Ousaban collects details about the security software installed on the victim’s machine.|
|T1082||System Info Discovery||Ousaban collects primary information about the sufferer’s machine, resembling pc identify and Windows version.|
|T1113||Display Seize||Ousaban can take screenshots.|
|Command and Control||T1132.002||Knowledge Encoding: Non-Commonplace Encoding||Ousaban makes use of RealThinClient that provides non-commonplace encryption.|
|T1219||Remote Access Software||Ousaban installs RDPWrap on the sufferer’s machine.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Ousaban exfiltrates knowledge by way of C&C server.|