Cybercriminals are using legitimate VMware binary to spread banking trojans in a new phishing campaign targeting the Brazilian financial sector.
The trojan uses an authentic VMware binary to deceive security tools into accepting errant activity and to bypass security checks because if the initial binary, such as vm.png, is accepted, then the security tools assume that subsequent libraries will also be trustworthy, according to a Cisco Talos report.
“Using a legitimate & signed DLL from VMware allows the malware to potentially run undetected by using a technique known as DLL side loading which allows the legitimate DLL to load a malicious DLL in memory,” Cisco researchers told SC Media. The malware is also packed with the Themida commercial packet which makes it difficult to analyze, they said.
Once the trojan has masqueraded as a legitimate process, it then uses a wide range of techniques to stay hidden with the goal of stealing banking credentials from the user. The malware's attempts to avoid detection using multiple layers of obfuscation and DLL side loading in make the malware particularly dangerous, the researchers explained.
Attackers send victims spam messages written in Portuguese enticing them to open a Boleto invoice, a popular Brazilian payment method. The phishing emails contains a file with a URL that redirects users to a goo.gl URL shortener, then sends them to a RAR library that contains a JAR file, researchers said in the post.
If a victim double-clicks the JAR file, it triggers a Java process that initializes malicious code and installs the banking Trojan. Cisco researchers said the malware is specific to Brazilian banks and is unlikely to pivot outside the country. Although the trojan is specific to the region, it doesn't mean the attacker lives there but rather suggests attackers decided there are less security conscious users living in the targeted area.