CHAVECLOAK is a type of malware, specifically a banking trojan, known for targeting users, particularly in Brazil, with the intent of stealing sensitive financial information.
CHAVECLOAK Malware Exploits Windows
The attack vector involves an email containing a malicious PDF file. Upon opening, the PDF file downloads a ZIP file and uses DLL side-loading techniques to execute the final malware.
Furthermore, telemetry from the Command and Control server indicates that the majority of the traffic originates from Brazil.
According to reports from Fortinet mentioned in cybersecurity news, the initial attack vector of this banking trojan involves a phishing email. This email prompts the recipient to open an attachment purportedly related to a contract and instructs them to sign the contract using a provided link.
The link, generated through the free URL link shortener service “Goo.su,” redirects to a server hosting a malicious ZIP file.
Within this ZIP file is an MSI file named “NotafiscalGFGJKHKHGUURTURTF345.msi.”
When the ZIP file is decompressed, the malicious “NotafiscalGFGJKHKHGUURTURTF345.msi” is extracted. Further decompression of the MSI file reveals its contents.
Inside the MSI installer are several TXT files and a DLL file named “Lightshot.dll.”
Comparing the modification dates of other files within the MSI file, it’s evident that the DLL file has the most recent date, indicating recent modifications.
Subsequent analysis unveiled that the entire configuration was composed in Portuguese.
Upon installation, the MSI deposits these files into the “%AppData%\Skillbrains\lightshot\5.5.0.7” folder.
Furthermore, the EXE file “Lightshot.exe” is deposited into the designated folder. It employs DLL sideloading technique to trigger the execution of the malicious DLL “Lightshot.dll”.
Additionally, this malicious DLL is responsible for extracting sensitive information from the compromised system.
CHAVECLOAK Banking Trojan
Additionally, this banking trojan conducts various operations, including collecting volume and file system data from the specified root directory. To ensure automatic execution, it adds “Lightshot.exe” to the registry, thereby initiating the malware via DLL sideloading and establishing persistent access. Subsequently, it verifies the victim’s geolocation within Brazil through an HTTP server request to “hxxp://64[.]225[.]32[.]24/shn/inspecionando.php.”
Moreover, CHAVECLOAK performs multiple actions on compromised systems, including screen blocking, keystroke logging, and displaying deceptive pop-up windows.
Additionally, it targets the victim’s activities on specific financial portals, such as banks and bitcoins.
Indicators Of Compromise
IP
- 64[.]225[.]32[.]24
URLs
- hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip
- hxxps://goo[.]su/FTD9owO
Hostnames
- mariashow[.]ddns[.]net
- comunidadebet20102[.]hopto[.]org
Files:
- 51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4
- 48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028
- 4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
- 131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff
- 8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c
- 634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9
- 2ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e55
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment