钓鱼策略：CHAVECLOAK银行木马的新目标

Users in Brazil are the target of a new banking trojan known as CHAVECLOAK that's propagated via phishing emails bearing PDF attachments.

巴西用户成为被称为CHAVECLOAK的新银行木马的目标，该木马通过带有PDF附件的网络钓鱼邮件传播。

"This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware," Fortinet FortiGuard Labs researcher Cara Lin said.

Fortinet FortiGuard实验室研究员Cara Lin说：“这一复杂的攻击包括PDF下载ZIP文件，随后利用DLL侧加载技术来执行最终的恶意软件。”

The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents.

攻击链涉及使用合同主题的DocuSign诱饵，诱使用户打开包含按钮以阅读和签署文档的PDF文件。

In reality, clicking the button leads to the retrieval of an installer file from a remote link that's shortened using the Goo.su URL shortening service.

实际上，点击按钮会导致从远程链接检索一个安装程序文件，该链接使用Goo.su URL缩短服务进行缩短。

Present within the installer is an executable named "Lightshot.exe" that leverages DLL side-loading to load "Lightshot.dll," which is the CHAVECLOAK malware that facilitates the theft of sensitive information.

安装程序内含有一个名为"Lightshot.exe"的可执行文件，它通过DLL侧加载来加载"Lightshot.dll"，这是CHAVECLOAK恶意软件，有助于窃取敏感信息。

This includes gathering system metadata and running checks to determine whether the compromised machine is located in Brazil and, if so, periodically monitoring the foreground window to compare it against a predefined list of bank-related strings.

这包括收集系统元数据以及运行检查以确定被感染的机器是否位于巴西，并且如果是这样的话，定期监控前景窗口与一系列预定义的银行相关字符串进行比较。

If it matches, a connection is established with a command-and-control (C2) server and proceeds to harvest various kinds of information and exfiltrate them to distinct endpoints on the server depending on the financial institution.

如果匹配，就会与一个命令与控制(C2)服务器建立连接，并继续收集各种类型的信息并根据金融机构将其窃取到服务器上的不同端点。

"The malware facilitates various actions to steal a victim's credentials, such as allowing the operator to block the victim's screen, log keystrokes, and display deceptive pop-up windows," Lin said.

Lin说：“恶意软件设施了多种行动来偷取受害者的凭证，例如允许操作者阻止受害者的屏幕，记录键盘敲击，并显示欺骗性的弹出窗口。”

"The malware actively monitors the victim's access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both traditional banking and cryptocurrency platforms."

“恶意软件积极监控受害者访问特定金融门户，包括几个银行和Mercado Bitcoin，这涵盖了传统银行和加密货币平台。”

Fortinet said it also uncovered a Delphi variant of CHAVECLOAK, once again highlighting the prevalence of Delphi-based malware targeting Latin America.

Fortinet说，它还发现了一个使用Delphi编写的CHAVECLOAK变体，再次强调了针对拉丁美洲的基于Delphi的恶意软件的普遍性。

"The emergence of the CHAVECLOAK banking Trojan underscores the evolving landscape of cyberthreats targeting the financial sector, specifically focusing on users in Brazil," Lin concluded.

Lin总结：“CHAVECLOAK银行木马的出现突显了针对金融部门的网络威胁不断演化的格局，特别是针对巴西用户的攻击。”

The findings come amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that entails using smishing and vishing (i.e., SMS and voice phishing) tactics to deploy an Android malware called Copybara with the goal of performing unauthorized banking transfers to a network of bank accounts operated by money mules.

这项发现是在英国、西班牙和意大利针对移动银行诈骗活动进行的背景下进行的，该活动通过使用假消息(smishing)和电话欺诈(vishing)（即SMS和语音网络钓鱼）手段来部署一种名为Copybara的Android恶意软件，目的是执行未经授权的银行转账到由洗钱者操作的一系列银行账户。

"TAs [Threat actors] have been caught using a structured way of managing all the ongoing phishing campaigns via a centralized web panel known as 'Mr. Robot,'" Cleafy said in a report published last week.

Cleafy在上周发布的一份报告中说：“TAs[威胁行为者]被发现使用一种结构化的方式通过一个名为‘Mr. Robot’的中心化网页面板来管理所有正在进行的网络钓鱼活动。”

"With this panel, TAs can enable and manage multiple phishing campaigns (against different financial institutions) based on their needs."

“通过这个面板，TAs可以根据他们的需求启用和管理针对不同金融机构的多个网络钓鱼活动。”

The C2 framework also allows attackers to orchestrate tailored attacks on distinct financial institutions using phishing kits that are engineered to mimic the user interface of the targeted entity, while also adopting anti-detection methods via geofencing and device fingerprinting to limit connections only from mobile devices.

C2框架也允许攻击者使用针对特定金融机构定制的钓鱼工具包发起定制化的攻击，这些工具包被设计成模仿被攻击实体的用户界面，同时采用抗检测方法通过地理围栏和设备指纹识别限制仅从移动设备进行连接。

The phishing kit – which serves as a fake login page – is responsible for capturing retail banking customer credentials and phone numbers and sending the details to a Telegram group.

钓鱼工具包——作为一个假登录页面——负责捕获零售银行客户的凭证和电话号码，并将细节发送到Telegram群组。

Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.

用于该运动的一些恶意基础设施被设计用来投递Copybara，这是通过一个名为JOKER RAT的C2面板管理的，该面板显示了所有感染设备及其在实时地图上的地理分布。

It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android's accessibility services, and intercepting SMS messages.

它还允许威胁行为者使用VNC模块实时远程与感染设备进行交互，除此之外，通过在银行应用上方注入假覆盖层来窃取凭证，在滥用Android的辅助服务的同时记录键盘敲击，以及拦截SMS消息。

On top of that, JOKER RAT comes with an APK builder that makes it possible to customize the rogue app's name, package name, and icons.

除此之外，JOKER RAT还带有一个APK构建器，可以自定义流氓应用的名称、包名和图标。

"Another feature available inside the panel is the 'Push Notification,' probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank's app in such a way that the malware can steal credentials," Cleafy researchers Francesco Iubatti and Federico Valentini said.

Cleafy的研究员Francesco Iubatti和Federico Valentini说：“面板内另一个可用的功能是‘推送通知’，可能用来向被感染设备发送假的推送通知，这些通知看起来像银行通知，以此引诱用户打开银行的应用程序，从而使恶意软件能够盗取凭证。”

The growing sophistication of on-device fraud (ODF) schemes is further evidenced by a recently disclosed TeaBot (aka Anatsa) campaign that managed to infiltrate the Google Play Store under the guise of PDF reader apps.

通过最近公开的一项TeaBot（即Anatsa）运动的进一步证据，表明了设备上欺诈(ODF)计划日益复杂，该运动成功地以PDF读者应用的伪装渗透到谷歌Play商店。

"This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages," Iubatti said. "Before downloading the banking trojan, the dropper performs advanced evasion techniques, including obfuscation and file deletion, alongside multiple checks about the victim countries."

Iubatti说：“这个应用作为一个投放器，通过多个阶段促进了一个属于TeaBot家族的银行木马的下载。在下载银行木马之前，投放器执行高级规避技巧，包括混淆和文件删除，以及多项关于受害国家的检查。”

参考资料

[1]https://thehackernews.com/2024/03/new-banking-trojan-chavecloak-targets.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：钓鱼策略：CHAVECLOAK银行木马的新目标