{"id":6947,"date":"2021-09-02T16:02:08","date_gmt":"2021-09-02T23:02:08","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6947"},"modified":"2024-08-07T12:19:20","modified_gmt":"2024-08-07T19:19:20","slug":"new-malware-capturador-hijacker","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/new-malware-capturador-hijacker\/","title":{"rendered":"New Malware: Capturador Hijacker"},"content":{"rendered":"

Author: Ma\u00ebl Le Touz<\/strong><\/h3>\n

 <\/p>\n

1. Executive Summary<\/h3>\n

Since 1 September, we have been tracking a malspam campaign distributing malware that we have not previously observed and has not been publicly reported on in the industry. The malware is a hijacker that we have named Capturador, and we believe that the campaign has been targeting speakers of Portuguese and small- and medium-sized Brazilian companies. The campaign\u2019s emails contain RAR archives as attachments and, in the subject lines, reference budget requests and incoming invoices. <\/p>\n

2. Attack Chain<\/h3>\n

After decompressing the attachment, the victim is presented with a .lnk (LNK) file. Normally, LNK files are created by Microsoft Windows when a user creates a shortcut to a program or folder. Malspam actors have taken advantage of this feature by creating LNK files that contain URLs to a location of their choosing\u2014in the case of Capturador, to an Amazon Web Services (AWS) page that hosts a single malware installer packaged as a .msi (MSI) file:<\/p>\n

\"\"<\/a><\/p>\n

When the victim clicks the LNK file, Windows connects to the payload server, downloads the malware installer to a system folder, and executes it by using Microsoft Installer (msiexec.exe):
\n\"\"<\/a><\/p>\n

The malware is packaged in an archive MSI file that contains two TOR executables, a PowerShell script, a custom PE32 executable, several DLLs, and a .config file. The DLLs are legitimate extensions for software libraries. TOR.exe is the main application for the Tor network; it allows individuals and machines to communicate with each other off the main internet, on an encrypted peer-to-peer network.<\/p>\n

\"\"<\/a>
\n2.1. capturador.exe<\/b>
\nThe capturador.exe executable is a 32-bit Windows application written in the version of .NET that requires version 4.7.2 of the .NET framework. On execution, capturador.exe displays a window that looks similar to the login screen for Banco do Brasil: <\/p>\n

\"\"<\/a><\/p>\n

The actors thus attempt to trick the victim into typing the credentials and 2FA code within their application rather than a secure browser session with Banco do Brasil.<\/p>\n

2.2. ScrrDBBD.ps1<\/b><\/p>\n

This script is the entrypoint for the configuration and activation of the malware. Once the MSI file is unpacked and executed, ScrrDBBD.ps1 renames and hides the downloaded items, creates a service port on the local machine and gets it ready for Tor operations, creates a VBS artifact, executes it through another LNK file and the WScript utility bundled with Windows, and then sends the following back to the actors\u2019 command and control (C&C): <\/p>\n