Windows Activator Bundles Banker with C2 in YouTube Description

[steven36]

In their effort to hide the command and control (C2) server addresses, operators of a banking trojan placed them in fake websites and in descriptions for YouTube videos.

 

 

The name of the malware is Casbaneiro and its wide distribution is possible through ReLoader, an illegal activation tool to create pirated versions of the Windows operating system and Microsoft's Office suite.

 

Some variants of ReLoader download and install the banking trojan first and only then run their intended course.

 

 

The method is unusual for Latin America, where Casbaneiro normally operates but victims are likely not to notice the malware slipping in since the activator still does its job.

C2 address snuck in online resources

The banker is not new in the business, being the sixth most prevalent banking trojan in Latin America earlier this year. It was also observed in various campaigns by researchers at FireEye, Cisco, and enSilo.

 

There are at least four variants of the malware in circulation but at the core, they have code nearly identical to a publicly available remote access tool. 

 

Malware analysts from ESET also found strong connections between Casbaneiro and another banking trojan called Amavaldo.

 

The common ground between the two includes an uncommon cryptographic algorithm in the injector component, the use of a similar PowerShell script in one campaign, and the distribution of a tool designed to automatically register new email accounts on Brasil Online.

 

What caught the eye of the ESET researchers, though, is the operators' toil to hide the C2 servers. While the researchers saw the server addresses stored in the malware binary, they also noticed some variants that retrieved the info in a less obvious way.

 

One method observed is having the C2 address embedded in an online document (Google Docs). The file is filled with useless text but also contains the name of the domain in encrypted form.

 

The start and the end of the string are marked by an exclamation point and it is encoded in hexadecimal. Multiple variations of the delimiters may be used.

 

 

The communication port is embedded in the binary, ESET researchers say in a report published today.

 

A more laborious method discovered by the analysts involved setting up a fake website and hiding the C2 domain in the web page's metadata.

 

For this purpose, Casbaneiro operators imitated a legitimate website that simply offered the current time and date in Brazil. A connection to such a website is unlikely to raise any suspicions.

 

 

The researchers found at least three fake websites that included URLs for different Casbaneiro C2 servers.

 

However, the most interesting method to hide the command servers is by embedding the addresses in the description of YouTube videos.

 

The researchers found two accounts used by the threat actor for this purpose. One of them focuses on cooking recipes and the other on soccer, two categories that are particularly popular in Brazil.

 

Placed at the end of the video description, the address of a Casbaneiro C2 server is disguised as a link to a Facebook or Instagram page. These are fake, though, as their role is simply to store the domain name in encrypted form.

 

 

 

Just like in the case of the website showing Brazil time, connecting to YouTube is no cause for concern because it is normal traffic. Even taking a look at the video gives no clue and the link at the end of the description is easily missed, the researchers say.

The right C2 and payloads

Generating the command and control domain involves using a fake Domain Name System (DNS) entry.

 

According to ESET's analysis, the method works by registering a domain and associating it with a fake IP address, which is used to derive the real IP address.

 

The algorithm for generating the real C2 address is not very complicated and consists of using a base domain, suffixes, and a specific number.

 

The base domain is used to derive a new domain, which resolves to a fake IP. By adding a number to the IP, the real IP address is obtained.

 

ESET says that apart from these particularities, Casbaneiro's capabilities are not much different from other banking trojans spread in the Latin America region, which typically come with a backdoor that allows downloading and executing other malware.

 

One of the payloads observed by the researchers is an email tool written in C# that creates new accounts on Brasil Online email platform and sends the credentials to the attacker.

 

Another one is a password stealer for Outlook credentials that prompts the victim to launch a phishing page and login.

 

 

Casbaneiro is not limited to collecting banking info and distributing other malware. It can also steal cryptocurrency by monitoring the clipboard data for strings that look like a cryptocurrency wallet and replacing them with the attacker's wallet address.

 

Although the malware is not sophiticated, its capabilities are extensive enough to generate multiple revenue streams for its operators or to enable them to switch to different money-driven attacks.

 

Source

[Iceman96]

I know that loader that's Rain's work, WOW

[zanderthunder]

14 hours ago, Iceman96 said:

I know that loader that's Rain's work, WOW

Yeah, I noticed that too. But from what I see on the application picture, it is the older release of the loader.

 

The last known latest release that I know so far is version 3.0 beta 3. No idea what happened to the Re-Loader project or even it's creator after that release.

 

 

 

[Ha91]

@iceman @edward as you guys can see that they edited the picture and altered the laoder a bit. I don't know why would anyone do that and not just edit the code? @mach1 @steve36