Blog Other Blogs McAfee Labs Banload Trojan Targets Brazilians With Malware Downloads

Banload Trojan Targets Brazilians With Malware Downloads

McAfee

Aug 09, 2016

4 MIN READ

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections. We have observed this malware is using the functionality of the legitimate freeware Mep Installer to carry out the infection cycle.

Mep Installer builds installation programs for Windows based on Inno Setup. When Mep Installer executes, it creates a temporary installation file in the %TEMP% directory. This file has the following execution command:

banload_command

Mep Installer has its signature at the offset used in the preceding command:

Signature

This temporary installation file checks for the Mep Installer signature. If found, the file will read data from the third argument, which is a zlib-compressed file. The following is a snippet of the compressed data:

banload_ZlibCompress

The temporary installation file has a zlib decompression procedure. After decompression it drops the executable and runs it.

banload_Mep_Cycle

Infection chain
We have observed that Banload hooks the Mep Installer to trick users into installing the Portuguese version of this software. Once the user gets a Banload-infected Mep Installer, the malware uses same functionality as the genuine Mep Installer to avoid suspicion. The infected version carries the malware inside the zlib-compressed file.

The malware executes with the same command as with the legitimate Mep Installer:

banload_nal_command

Upon decompression the temp file drops the malware in the Windows directory, as shown below:

banload_mal_run

This malware uses the temporary file of the genuine installer to carry out the infection. Banload also displays a fake Mep Installer signature to appear to be legitimate.

banload_mal_cycle

Obscuring techniques
The malware uses a number of tricks to avoid execution in controlled environments such as virtual machines, sandboxes, etc. It also checks for network monitoring tools like CommView, TCPView, etc.

banload_tricks

The malware uses the following code patch to check for virtual machines:

banload_AntiVM

Banload terminates if the system’s language ID does not match to 0x0416, Portuguese.

banload_languagID

The malware also creates a mutex to ensure that only one instance of the malware is running at a time. The malware author uses standard RC4 algorithm to hide the payload’s URL. The encrypted URL looks like this:

banload_URl_encrypted

The following are some of the decrypted URLs from which the malware downloads payloads to carry out further infections:

  • http://[BLOCKED].br/modulorato/rato.zip
  • http:// [BLOCKED].com.br/banner.zip
  • http:// [BLOCKED].net.br/KL/Windows.zip
  • http:// [BLOCKED].com.br/backup/site/CACminde.zip
  • http:// [BLOCKED].com.br/KL/ljinguID.zip
  • http://maranhao. [BLOCKED].com.br/modulo/maranhao.zip
  • https://storage.googleapis.com/[BLOCKED]/ [BLOCKED].zip
  • https://storage.googleapis.com/[BLOCKED]/ [BLOCKED].zip
  • https://www.4shared.com/web/directDownload/[BLOCKED]/goqt4x. [BLOCKED]
  • https://www.4shared.com/web/directDownload/[BLOCKED]/gk5y6n. [BLOCKED]
  • https://storage.googleapis.com/[BLOCKED]/[BLOCKED].zip
  • https://www.4shared.com/web/directDownload/[BLOCKED]/gbo7i6. [BLOCKED]
  • http://www. [BLOCKED].org/ddlevelsfiles/imgs.zip
  • https://www.4shared.com/web/directDownload/[BLOCKED]/gpms2b. [BLOCKED]

The downloaded files are encrypted and are decrypted by the malware at runtime. The downloaded file may look like this:

banload_downloaded_encrypted

After decrypting this, we get this Zip file:

banload_downloaded_decrypted

Summary
This malware targets Brazilians by using the Mep Installer’s Portuguese version, checking for the Portuguese language ID, and most of the URLs listed above are from Brazil. McAfee products detect this malware as Downloader-FBIC! McAfee advises all users to keep their antimalware products up to date.

Analyzed hashes, SHA256

  • C5D3EC816D9029A5EDC6F0C64E1E9CAC02CF73A8A4828C3088C34FEF7338CC21
  • 98F38A78E8DCEE34DCFFB53D5A3E678E5572DDC2DFF2E0EF832FCBCEF3F5E7DC

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS
McAfee Blog Archives

We're here to make life online safe and enjoyable for everyone.

More from McAfee Labs

SpyLoan: A Global Threat Exploiting Social Engineering
Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan,...

Nov 25, 2024   |   16 MIN READ

Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation
Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly evolving cyber landscape, malware...

Nov 20, 2024   |   18 MIN READ

The Dark Side of Gen AI
There’s no denying that Generative Artificial Intelligence (GenAI) has been one of the most significant technological developments...

Nov 18, 2024   |   5 MIN READ

Behind the CAPTCHA: A Clever Gateway of Malware
Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where...

Sep 20, 2024   |   8 MIN READ

Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware
Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are...

Sep 19, 2024   |   14 MIN READ

New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition
Authored by SangRyol Ryu Recently, McAfee’s Mobile Research Team uncovered a new type of mobile malware that...

Sep 05, 2024   |   10 MIN READ

The Scam Strikes Back: Exploiting the CrowdStrike Outage
Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik Recently we witnessed one of the most significant...

Jul 30, 2024   |   5 MIN READ

Olympics Has Fallen – A Misinformation Campaign Featuring a Voice Cloned Elon Musk
Authored by Lakshya Mathur and Abhishek Karnik As the world gears up for the 2024 Paris Olympics,...

Jul 26, 2024   |   6 MIN READ

ClickFix Deception: A Social Engineering Tactic to Deploy Malware
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered a highly unusual method of malware...

Jul 11, 2024   |   9 MIN READ

Quality Over Quantity: the Counter-Intuitive GenAI Key
It’s been almost two years since OpenAI launched ChatGPT, driving increased mainstream awareness of and access to...

Jun 28, 2024   |   3 MIN READ

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud
Authored by Dexter Shin Many government agencies provide their services online for the convenience of their citizens....

May 31, 2024   |   7 MIN READ

How Scammers Hijack Your Instagram
Authored by Vignesh Dhatchanamoorthy, Rachana S Instagram, with its vast user base and dynamic platform, has become...

May 14, 2024   |   6 MIN READ

Back to top