A new banking trojan dubbed maxtrilha (due to its encryption key) has been discovered in the last few days and targeting customers of European and South American banks.
The new maxtrilha trojan is being disseminated and targeting several banks around the world.
Criminals are constantly creating variants of popular banking trojans, keeping in mind the same modus operandi but changing the malware internals and its capabilities making it a fully undetectable (FUD) weapon.
The recent campaign have been disseminated in Latin America but also extended to Europe and Portugal. The campaign has been leveraged by Brazilian criminals’ gangue, who use customized phishing templates to spread the trojan maxtrilha according to the target country.
The malware samples disseminated in Portugal open a legitimate webpage from Autoridade Tributária e Aduaneira – Finanças to lure the victims during the execution of the 1st stage. After that, the malware creates persistence, disables Internet Explorer security settings to facilitate the download of the 2nd stage from the Internet. In short, the 2nd stage – maxtrilha trojan – checks or creates persistence when executed on the target machine, uses a mechanism of capturing details from opened foreground windows matching its name with specific hardcoded strings related to banking companies, launches banking windows overlay, can deploy new payloads and communicates with the C2 server in real-time.
The maxtrilha trojan was developed in Delphi language, it’s an x64 binary, and it can bypass AV and EDRs systems – at least until the moment of its analysis.
Figure 1: High-level diagram of maxtrilha banking trojan.
- Maxtrilha has been disseminated via crafted phishing templates by country.
- The maxtrilha 1st stage – the loader – opens a legitimate service previously presented on the phishing template to lure victims during its execution.
- The 1st stage creates persistence on the infected machine, disables Internet Explorer security settings and accepted extensions to facilitate the download of the 2nd stage.
- Maxtrilha trojan – 2nd stage – checks or creates persistence on the machine, installs or modifies Windows trusted certificates, checks by opening windows to perform banking windows overlay to steal credentials and can deploy additional payloads executed via DLL injection technique.
- The victims’ data is encrypted and sent to the C2 server geolocated in Russia.
In this section, we are going through the details of maxtrilha malware, analyzing step-by-step this banking trojan, how it operates, and what kind of data is exfiltrated. Figure 2 shows the phishing template disseminated in Portugal that impersonates the Autoridade Tributária e Aduaneira – Finanças to lure victims to download the maxtrilha 1st stage (the loader).
Figure 2: Maxtrilha phishing template disseminated in Portugal and impersonating the Autoridade Tributária e Aduaneira – Finanças | h/t @MiguelSantareno
As observed below, the “cld.]pt” domain have been used to host several malicious campaigns during 2021, including the maxtrilha malware wave. The full list can be found at the end of the analysis.
Figure 3: Malicious .PT domain used to distribute campaigns in the wild during 2021, including the maxtrilha malware wave.
Maxtrilha loader– the 1st stage
Filename: PdF.exe / MSITrueColor.exe
Creation date: 2021-09-06 09:20:49
The first alert on this banking trojan was triggered on the 0xSI_f33d.The maxtrilha loader is customized by criminals according to the target country, and it performs some tasks in advance, namely:
- Opens a target legitimate page during its execution via a hardcoded short URL
- Creates persistence on the target machine
- Disables IE security settings; and
- Downloads the maxtrilha 2nd stage.
As presented in Figure 4, several samples have been distributed in the wild last few days, impersonating different organizations in different countries.
Figure 4: Maxtrilha samples disseminated in August and September 2021.
As mentioned, a specific short URL is hardcoded inside each loader, depending on the target country. In the case of the maxtrilha loader disseminated in Portugal, it uses the TinyURL online service, which is opened during the malware execution by the default web browser installed and available on the victim machine. The short URL points to a specific page related to the phishing template (see Figure 2) to lure victims.
Figure 5: A short URL is opened via a default web browser which redirects the victim to a legitimate service.
In another sample also disseminated in Portugal, we found a different hardcoded string instead of the short URL. This specific domain is cached on Google and redirects the victim to the authentication page. With this trick in place, criminals can bypass some security agents.
Figure 6: Specific hardcoded URL found inside the maxtrilha samples disseminated in Portugal.
In detail, we found some samples distributing the threat in Portugal, Spain, and Mexico as observed below.
Figure 7: Legitimate portals used to lure the victims during the maxtrilha execution in Portugal, Spain, and Mexico.
After running the executable, it opens the target page to lure victims while it creates persistence, disables IE security settings, and downloads the 2nd stage into the %Public% folder.
As mentioned, the bait page is opened based on the TinyURL short URLs hardcoded inside each binary.
Figure 8: Legitimate page opened during the malware execution (Portuguese sample).
After showing the authentication page, the trojan performs specific tasks in the background. The first step is to modify software policy settings, namely the Windows trusted certificates to acts later as a proxy agent. Both the binaries, 1st stage, and 2nd stage perform this operation at runtime:”PdF.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESCA”)”PdF.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESDISALLOWED”)”PdF.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESTRUST”)”PdF.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESTRUSTEDPEOPLE”)”PdF.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESROOT”)”MSITrueColor.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESCA”)”MSITrueColor.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESDISALLOWED”)”MSITrueColor.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESROOT”)”MSITrueColor.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESTRUSTEDPEOPLE”)”MSITrueColor.exe” (Access type: “CREATE”; Path: “SOFTWAREPOLICIESMICROSOFTSYSTEMCERTIFICATESTRUST”)
Next, also the Internet Explorer security settings are changed to facilitate the download of the 2nd stage without any restriction:Queries sensitive IE security settings:”iexplore.exe” (Path: “HKCUSOFTWAREMICROSOFTINTERNET EXPLORERSECURITY”; Key: “DISABLESECURITYSETTINGSCHECK”)”IEXPLORE.EXE” (Path: “HKCUSOFTWAREMICROSOFTINTERNET EXPLORERSECURITY”; Key: “DISABLESECURITYSETTINGSCHECK”)Queries the display settings of system associated file extensions:”iexplore.exe” (Access type: “QUERYVAL”; Path: “HKLMSOFTWARECLASSESSYSTEMFILEASSOCIATIONS.EXE”; Key: “NEVERSHOWEXT”)”iexplore.exe” (Access type: “QUERYVAL”; Path: “HKLMSOFTWARECLASSESSYSTEMFILEASSOCIATIONS.EXE”; Key: “ALWAYSSHOWEXT”)
The loader has the capacity of selecting the name of the target file to download; these names are hardcoded in a list with well-known music songs as observed in Figure 9 below. Finally, the 2nd stage is download from the “sageprototypego.]pt/sept/cult.mp4” domain path into the %Public% folder and the binary path added to the Windows registry.
Figure 9: Maxtrilha 2nd stage downloaded from the Internet based on target hardcoded strings.
Figure 10: Maxtrilha 2nd stage is launched every time from the Windows %Public% folder.
Maxtrilha campaign – A possible kill switch
As a way of preventing further infections through this campaign, the domain from which the 2nd stage is downloaded has been decommissioned, and when the loader tries to unload the binary, it will go into an error loop because it cannot find and inject the new binary into memory (sageprototypego.]pt).
Figure 11: Possible kill switch of maxtrilha trojan (1st stage – loader).
Maxtrilha trojan banker – the final stage
Filename: Telegram.exe / MSITrueColor.exe /cult.mp4 / roddy_ricch.mp3
Creation date: 2021-09-06 09:06:20
Criminals are constantly creating new ways to make their malicious arsenal FUD. In this case, the maxtrilha trojan, an x64 Delphi binary is not detected as malicious on VirusTotal, allowing to infect a large volume of machines around the world during this campaign.
Figure 12: Maxtrilha trojan 100% FUD, bypassing, thus part of the AVs and EDR systems.
When the binary is executed, it performs some tasks, including:
- Uses the invertexto.]com online service to check the Internet connection and to get the victims’ IP address and their geolocation. Then, it creates the PHP files dynamically on the C2 served based on the victims’ IP addresses.
- Checks or creates persistence on the Windows registry.
- Performs monitoring on the user navigation finding by targeting banking portals hardcoded inside the binary.
- Retrieve commands from the C2 server and sent the gathered data.
- It can also deploy additional payloads executed via the DLL injection technique.
Figure 13: Maxtrilha checks by Internet connection and adds the binary path to the Windows registry (persistence technique).
Interestingly, the invertexto.]com service is being used by the maxtrilha trojan creators to obtain victims’ IP addresses and at the same time to check by Internet connection. On a VirusTotal screen, we can see maxtrilha samples communicating with this address in the last few days.
Figure 14: Maxtrilha samples communicating with the legitimate service to validate Internet connection and get the victims’ IP addresses.
During the malware activity, the binary is in a thread loop monitoring Internet browser windows, and matching the opened pages with hardcoded strings, namely substrings related to banks in Latin America and Europe, including Portugal.
Figure 15: Target banks impacted by maxtrilha trojan.
When the string matches, then the malware communicates with the C2 server geolocated in Russia to perform the following operations:
- It sends initial data related to the machine (hostname) and IP address.
- C2 server receives this information from the index.php page, and creates some PHP pages that will allow communication (each victim have specific pages based on their IP address)
With this trick in place, criminals can maintain the thread more invisible as each victim has its specific pages hosted on the same IP addresses.
In detail, some configurations are also obtained from a “webcindario.]com” subdomain, not available at the moment of analyzis.
Figure 16: Additional configuration retrieved from the webcindario.com sub domain.
The next image shows the moment the trojan gets the windows name via “GetWindowsTextW()” call, and the beginning of the C2 communication with the strings fully encrypted.
Figure 17: Maxtrilha C2 communication.
In detail, the “maxtrilha123” key is used to encrypt the clear-text strings in a binary operation each time the trojan sends information to the C2 server.
Figure 18: Pseudo-code of the encryption algorithm used by maxtrilha.
In another attempt to run the binary, we can see that a similar string is sent; different due to the timestamp the request was sent. This first server request then creates PHP pages on the server-side based on the victim’s IP address.
Additional data is sent to the C2 server related to the page the victim is browsing.
Figure 19: Maxtrilha trojan creating the victim’s PHP pages on the C2 server to perform further communication.
Maxtrilha uses API hashing and introduces well-known calls to perform DLL injection. This technique is then used to deploy additional payloads during the malware execution.
Figure 20: API hashing calls and DLL injection technique found on the binary to probably execute additional payloads at runtime based on specific operations listed below.– opcao = 1 — opcao = 2 — opcao = 3 — opcao = 4 — opcao = 5 –
The malware will also send the name of the foreground windows the user is opened to the C2 server. In this case, if for example some of those windows are on a blacklist (x64db, IDA, etc), the trojan may terminate its execution.
As observed below, the two C2 servers hardcoded inside the maxtrilha binary are geolocated in Russia.
Figure 21: Maxtrilha C2 servers geolocated in Russia.
Nowadays, we are facing a growing of Brazilian trojans at a very high speed. Each one of them with its peculiarities, TTPs, etc. With this in mind, criminals achieve a FUD condition that allows them to avoid detection and impact a large number of users around the world.
In this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new infections or waves can appear.
Indicators of Compromise (IoCs) and Mitre Att&ck Matrix are available in the Original post @ https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/#.YT7gro4zY2x
Thank you to all who have contributed:
About the author Pedro Tavares:
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.
(SecurityAffairs – hacking, FIN8)