Spyware chrome extension campaign targeting on Brazil
SonicWall has been observing a campaign targeting Brazil, which involves a malicious PDF file. The attack begins when a user receives a malicious PDF file as an attachment with legitimate looking email.
Scripts are now very prominently being used by the attackers to deliver the final payload. In this particular campaign as well we see, script has been used in stages to deliver the payload which is a Spyware.
The spyware is installed into the victim’s system as a Google Chrome extension. Following image depicts the infection cycle:
Fig 1. Malware infection cycle
At the time of analysis, the malicious PDF file is not detected by any of the AV vendors which indicates the effectiveness of RTDMI engine.
Fig 2. The PDF file detection in VirusTotal.
The malicious PDF file tries to lure the victim to download the next stage malicious file with text pretending to be an image file. To go unnoticed, a short URL “hxxp://bit.ly/2XfBhuA” which expands to hxxps://www.dropbox.com/s/dl/5nepym179xr7ehz/Fotos%20L-nn-2002-0711.vbs.zip”, has been used in the PDF file as shown below:
Fig 3. Crafted PDF content.
On clicking the image, an archive file is downloaded into the victim’s system from the Google dropbox.
The downloaded archive contains a VBS script file, which when executed, connects to a C&C server (hxxp://desenvolveangar.info /?tgow=shuran&). The C&C server has put in a mechanism to identify whether a request is from a bot or an automated system. If a specific pattern is found in the HTTP request header “USER-AGENT: COOLDOWN” and the data “Z”, then only the next stage malicious file (encoded to evade detection) is sent otherwise the request is served with an image file as shown below:
Fig 4. Malware using specific User-Agent and data
The below code snippet depicts how the reverse formatted script is decoded and executed: 
Analysis of the downloaded VBS script
The VBS script uses multiple components on the victims system to achieve its goal.
To avoid reinfection, the VBS script first checks, presence of a “125x” file in the “%UserProfile%” directory. Execution of the script is terminated, if the file is present. Otherwise, a file with the same name is created in the “%UserProfile%” directory and 6 Bytes data is written into the file as shown below:
Fig 5. “125x” file content
The script extensively uses sleep method, which could make the available sandboxing and emulation technologies futile. It uses Windows Management Instrumentation (WMI) framework to collect victim’s system information as shown in the table below:
Table 1. WMI queries and Objects used by the script
At present, it appears the malware has been written to target users from a specific country. This could be deduced from the fact that the stolen data is sent back to the C&C server if the Victim is from “Brazil”. Victim’s country is verified by checking the Country Code (“55” for Brazil).Table 1. WMI queries and Objects used by the script
Fig 6. System information sent to the C&C server
A batch script is then dropped in the filesystem and executed, which first deletes existing Google Chrome shortcuts and then creates malformed Google Chrome shortcuts to launch the malicious VBS script.
The batch script lowers the Web browser security by modifying the Internet Site zone settings. To remove traces of infection from the system, the script later deletes itself.
Code Snippet:
The malware now checks, presence of a file named “utg.zip” in the “%UserProfile%” directory. This archive file contains Chrome extension. To ensure updated Chrome extension is present on the victim’s system, it first deletes and later downloads the archive from the C&C server.
The malware continues with its data collection and other activities. It collects data like system’s manufacturer, model, network adapter configuration caption and description, which is later sent to the C&C Server as shown below:
Fig 7. C&C sends URL to download chrome extension
The malware receives command to stop execution by the C&C server, if it is running inside virtual environment. It achieves this by sending “bit” word in the response data. Otherwise, a final payload URL is sent back to the victim.
The malware uses a VBS code snippet from “hxxp://pastebin.com/raw/kXaRaqSu” to download the final payload which is an archive containing Chrome extension as shown below:
Fig 8. Code snippet from Pastebin.com
The malware checks presence of “%UserProfile%\Chrome\1.9.6\6.js” file inside the archive and notifies the C&C server if the file is found as shown below:
Fig 9. Archive contents (Chrome Extension)
A JSON based manifest file “manifest.json” which contains metadata about the extension is then modified by the malware as shown below:
Fig 10. Original and modified manifest.json file
Extension detail information
- Manifest.json file
This manifest file contains metadata information regarding extension. Important fields of this manifest file are described below.
Table 2. Manifest.json file
- JS file hash
Table 3. JS file names and there hash
Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:
Fig 11. Capture ATP report snapshot
