Fileless Banking Trojan Targeting Brazilian Banks Downloads Possible Botnet Capability, Info Stealers (Mar 4, 2019)
Researchers from Trend Micro observed a fileless malware that installed a banking trojan and information stealer into machines that are related to the Brazilian banks Banco Bradesco, Banco do Brasil, and Sicredi. Once the first trojan infects a machine, it downloads and executes PowerShell codes which drops .LNK files into the Startup folder of the machine and forces the machine to restart. This triggers a lock screen to appear after reboot that looks like a legitimate logon screen but is actually malicious. The objective of the lock screen is to fool the user into entering their system username and password. The malware then sends the obtained credential information to the threat actor's Command and Control (C2) server. A second trojan is then initiated that attempts to open Microsoft Outlook and obtain any email addresses stored in it, although if Outlook is not on the machine, it skips that step. The "RADMIN" malware is also installed onto the machine to obtain administrative privileges and monitor screen activity of the user, as well as spread within the network. The final payload installed is a banking trojan. The largest infections were observed in Brazil and Taiwan.
Recommendation: Ensure that your company's firewall blocks all entry points for unauthorised users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.