News CHAVECLOAK Malware Hack Windows Via Weaponized PDF File

Threat actors have been discovered to be using a new technique for deploying the CHAVECLOAK banking trojan to target users in Brazil.

This trojan is capable of stealing sensitive information related to financial activities. 

EHA

The attack vector uses a malicious email with a PDF file which downloads a ZIP file and utilizes DLL side-loading techniques to execute the final malware.

The Command and Control server telemetry of this malware reads that most of the traffic is from Brazil.

Attack flow vector of CHAVECLOAK (Source: Fortinet)

CHAVECLOAK Malware Hack Windows

According to the reports shared by Fortinet, the initial attack vector of this banking trojan involves a phishing email that mentions an attachment related to a contract that must be signed using the link in the email.

Phishing email (Source: Fortinet)

This link was generated using a free URL link shortener service “Goo.su” which points to a server for downloading a malicious ZIP file.

This ZIP contains an MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi”.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..


MSI Installer

The malicious “NotafiscalGFGJKHKHGUURTURTF345.msi” is extracted when the ZIP file is decompressed. Decompressing the MSI file further shows the contents of the MSI installer.

The MSI installer contains multiple TXT files along with a DLL file named “Lightshot.dll”.

Contents of the MSI installer (Source: Fortinet)

When compared with the modification dates of the other files inside the MSI file, this DLL file has the latest date which means that it has been recently modified.

Further analysis revealed that the entire configuration had been written in Portuguese.

If installed, the MSI drops these files inside the “%AppData%\Skillbrains\lightshot\5.5.0.7” folder.

The EXE file “Lightshot.exe” is also dropped at the specified folder which deploys DLL sideloading technique to activate the execution of malicious DLL “Lightshot.dll”.

Further, this malicious DLL performs the extraction of sensitive information from the compromised system.

CHAVECLOAK Banking Trojan “Lightshot.dll”

This banking trojan performs multiple operations, including gathering volume and file system information from the specified root directory.

To initiate the malware’s automatic execution, “Lightshot.exe” is added to the registry value, which triggers the malware in turn due to the DLL sideloading attack.

This establishes persistent access to the compromised system. After this, an HTTP server request is made to “hxxp://64[.]225[.]32[.]24/shn/inspecionando.php,” where the system’s geolocation is confirmed whether the victim is inside Brazil. 

CHAVECLOAK performs several actions on the compromised systems such as blocking the victim screen, logging keystrokes, deceptive pop-up windows etc.

Additionally, the malware also focuses on the victim’s activities against specific financial portals, including banks and bitcoins.

Indicators Of Compromise

IP

  • 64[.]225[.]32[.]24

URLs

  • hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip
  • hxxps://goo[.]su/FTD9owO

Hostnames

  • mariashow[.]ddns[.]net
  • comunidadebet20102[.]hopto[.]org

Files:

  • 51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4
  • 48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028
  • 4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
  • 131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffff
  • 8b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c
  • 634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f9
  • 2ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e55

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.