New BlackDog malware: Man-in-the-Browser malware campaign targeting Mexico

BlackDog Logo


Between the last week of June and the third one of August, SCILabs identified a new malware campaign  which is being distributed through phishing emails under the pretext of supposed invoices to perform Man-in-the-Browser attacks using domains such as kawaitravelmexico[.]com and facturamx[.]club supplanting the Servicio de Administración Tributaria (SAT) in Mexico and impersonating sites like hxxp[:]//www[.]sat[.]gob[.]mx.

Its main objective is to steal information from users of financial institutions, by injecting code into the Chrome browser, via a malicious extension.

During about five weeks, SCILabs has continued monitoring activities and identified mainly two variants of this campaign that, due to its characteristics, we named BlackDog. SCILabs carried out multiple investigations to determine if there is any relationship between this malware and other families like Magnant, BokBot, Chaes, and Kronos; however, we found no relationship between them.

Finally, it is essential to mention that the artifacts identified by SCILabs used in the infection chain have a low detection rate by antivirus solutions in the VirusTotal platform.

How could it affect an organization?

The main objective of this campaign is to perform a Man-in-The-Browser attack to steal banking information from all types of users. During the infection chain, the attackers could use the droppers identified by SCILabs to download more dangerous malware like ransomware.

If an attack by this malware is successful, it could cause economic and reputation losses; additionally, cybercriminals could misuse the obtained data by leaking or selling it on underground forums or on the black market.


Threat Context of the first campaign analyzed in June 2022

SCILabs identified, in open sources, the facturamx[.]club domain simulating to be a billing site from Mexico and when carrying out the investigation we recovered the artifact with which the chain of infection began.

The first malicious artifact identified by SCILabs was feb.hta, downloaded from facturemx[.]mx/feb.hta and corresponds to an HTML template with an embedded VBS-type obfuscated script.

First stage of malware

Figure 1 – First stage of the malware (HTA file)

If the victim opens the .hta file, it runs an obfuscated PowerShell script that aims to download and execute the third stage of the malware.

Obfuscated PowerShell script

Figure 2 – Obfuscated PowerShell script – Second stage of the malware

The malware creates a scheduled task to execute the file corresponding to the third stage of infection, which is an obfuscated .jse (JScript Encoded Script Format) type file, that aims to generate persistence and download the artifacts of the fourth stage of the attack.

Schedule task to execute the third stage of malware

Figure 3 – Schedule task to execute the third stage of the malware


Third stage of malware (JSE file)

Figure 4 – Third stage of the malware (JSE file)

The .jse artifact aims to download the following files:

  • json: The manifest file in JSON format contains information about the malicious Google Chrome extension.
  • seguro.js: Google Chrome extension developed with obfuscated JavaScript code.
  • Screenshotfrom202034-58.png: PNG file-type simulating a bank transfer.
  • lnk and Chrome1.lnk: Google Chrome shortcut used by the attacker to generate persistence and load the malicious extension via the –load-extension parameter to perform the Man-in-the-Browser attack.

The .jse file opens the Screenshotfrom202034-58.png file in full screen using rundll32 while dropping the .lnk files to generate persistence in the Windows Startup path and installing the “Seguridad” Google Chrome extension.

Opened full screen via rundll32 (PNG file)

Figure 5 – Opened full screen via rundll32 (PNG file)


PNG file simulating a bank transfer

Figure 6 – PNG file simulating a bank transfer


LNK files dropped in the Startup path

Figure 7 – LNK files dropped in the Startup path


LNK file loading attacker extension

Figure 8 – LNK file loading attacker extension


Attacker extension dropped in %LOCALAPPDATA% path

Figure 9 – Attacker extension dropped in %LOCALAPPDATA% path


Obfuscated JS file (Seguro.js)

Figure 10 – Obfuscated JS file (Seguro.js)


Attacker Google Chrome extension

Figure 11 – Attacker Google Chrome extension

If the victim opens the Chrome browser after the attacker installs the malicious extension, the MitB attack begins. The extension aims to inject an external request to a JavaScript resource into the DOM of the pages visited by the user.


External JS resource injected by malicious extension

Figure 12 – External JS resource injected by malicious extension

The external resource injected by the malicious extension contains URL checks to identify which banking page the victim is on. Another script calls an external resource, depending on the banking site that the user is visiting.

Forth stage of the malware

Figure 13 – Forth stage of the malware (8vZ9d1-ad.js resource)

For each banking site in the 8vZ9d1-ad.js script, the attacker built a script with JavaScript code that injects fake HTML templates into the DOM of the visited bank pages.

Custom JS code for Citibanamex fake page

Figure 14 – Custom JS code for Citibanamex fake page

Once all the malicious code is injected, the victim will see a replica of the legitimate banking page in their browser, and the information the user enters is sent to the attacker’s C2 server.

Injecting malicious code process

Figure 15 – Injecting malicious code process


Fake form showed by the attacker

Figure 16 – Fake form showed by the attacker after user ingresses data

SCILabs hypothesizes that the attacker could be carrying out targeted attacks on employees of different companies because the image used as a pretext in the chain of infection contains the name of a specific person and company.

Information found in the image used in the infection chain

Figure 17 – Information found in the image used in the infection chain

Threat Context of the second campaign analyzed in August 2022

We identified in open sources the https[:]//www[.]kawaitravelmexico[.]com/SAT[-]Portal[-]Descargas[-]Actualizacion[-]Tributaria domain during the security monitoring in LATAM, as shown in the following images.

In the apocryphal website, SCILabs found inconsistencies in the domain name and the registered contact name in the database. We also encountered writing errors, as shown in the following image.

Apocryphal website vs Legitimate website

Figure 18 – Apocryphal website observed during security monitoring (left) vs Legitimate website (right)

If the user does click on the “Descargar” button, the website downloads a compressed file in zip format called “” which contains a JavaScript file called “SAT_Policy.js”.

Compressed file downloaded from the impersonated site

Figure 19 – Compressed file downloaded from the impersonated site

Once the first dropper is executed, the infection chain described in the previous investigations begins.

Most important changes between the August campaign and the June campaign

SCILabs observed the following during the execution of the malware:

  • The infrastructure has changed, and the first dropper is now a JavaScript file to reduce the flow attack and make the infection faster.
  • If a user enters their data, it will be sent to the cybercriminal’s server, and the malware will display a pop-up window with a button to download an executable. If the user clicks on “Descargar Asistencia Bancanet (The message changes depending on the bank) they will be redirected to the official TeamViewer page, and the download will start automatically.

Pop-ups deployed to download an assistance software

Figure 20 – Pop-ups deployed to download an assistance software (I)


Pop-ups deployed to download an assistance software

Figure 21 – Pop-ups deployed to download an assistance software (II)


Auto download of TeamViewer

Figure 22 – Auto download of TeamViewer

After analyzing the downloaded executable, SCILabs determined that it is a legitimate tool and no malicious behavior was observed, so SCILabs has two hypotheses about it:

  • It is an update of the previous campaign, to make it more effective by generating greater confidence in the victim.
  • Downloading this tool suggests that in the future, the cybercriminal will use social engineering techniques to obtain TeamViewer credentials and thus get remote control of the victim’s computer.

In the latest campaign, the attacker is using a template to steal victims’ email credentials.

Template to steal email credentials

Figure 23 – Template to steal email credentials

During the investigation, SCILabs observed a new evasion defense mechanism; when trying to inspect the code of visited websites in the Chrome browser infected, it automatically enables the debugger and prevents further analysis, because the malicious code contains an infinite loop to enable the debugger and pause it.

Code inspector with auto debugging

Figure 24 – Code inspector with auto debugging

Attack Flows

The following image describes the attack flow observed during June:

Attack flow of the first sample recovered by SCILabs

Figure 25 – Attack flow of the first sample recovered by SCILabs

The image below describes the attack flow of the variant observed during August:

Attack flow of the variant recovered by SCILabs

Figure 26 – Attack flow of the variant recovered by SCILabs

Technical Summary

  • Initial access is probably carried out through phishing emails impersonating the Secretaria de Administración Tributaria from Mexico that encourages victims to download and install a malicious artifact with which the chain of infection begins.
  • The main page gives instructions to download and install the first dropper.
  • An image impersonating a banking transfer (probably used as a distraction and motivator for the user to enter their online banking data) is displayed on the screen after executing the first dropper.
  • The .hta file contains obfuscated VBS code that runs PowerShell functions that aim to download the php#.jse file to the %appdata%/Roaming path and create a scheduled task to run it.
  • The js or feb.php#.jse file according to the case contains obfuscated code that drops a malicious Google Chrome extension to the %localappdata% path along with its manifest file, an image to the %localappdata%/Temp path that spoofs a transfer receipt, and two Google Chrome shortcuts in the Startup path that aims to load the malicious extension on each run.
  • When the .js file is executed through rundll32, the image of the false receipt is displayed on full screen, and persistence is generated in the Windows Startup path through the direct accesses released. In addition, the malicious extension that aims to carry out the MitB attack is installed in the Google Chrome
  • If the victim opens the Google Chrome browser and visits a banking page, the 8vZ9d1-ad.js resource is injected into the visited website’s DOM.
  • The 8vZ9d1-ad.js JavaScript resource contains calls to other external resources depending on the banking site that the victim visits to display a template that impersonates the banking website.
  • Finally, if the victim enters information, it is sent to the attacker’s server.

Comparison between BlackDog campaigns and other well-known campaigns

To determine if this is a new campaign, the SCILabs team investigated public sources on different campaigns and found similarities in some of them:

  • Magnant: Use of EXE or ISO files for its installation. This threat has as its objective the installation of a backdoor using a malicious Chrome extension to steal bank credentials, it especially targets North America and Australia.
  • IceID Stelear AKA BokBot: Use malicious Office documents with macros to start the infection chain, typically distributed by phishing emails. In this case, the cybercriminals use images with steganography to perform different tasks during the attack flow targeting mainly the APAC region.
  • Chaes: This malware distribution is based on compromised sites to download and install a JavaScript that starts the infection chain, but in this case is only to prepare a python environment. It targets mainly Brazil, and some names of the installed files are written in Portuguese. It finally installs at least five malicious Chrome extensions to execute different tasks such as connections to C2, and marketplaces stealing credentials, among others.
  • Kronos: The execution is through EXE files. The cybercriminals use a similar phishing kit and code injection, but in this case, they also use images with steganography and a TOR environment to connect with their C2 server. There are no more overlaps between campaigns.

Note: The threats shown above were taken into consideration because they are also use JavaScript code or have Plugins written in this language.

After this investigation, SCILabs team determined that despite the similarities, none of the campaigns analyzed used the same TTPs during their infection chain, so based on its characteristics, SCILabs named it BlackDog.

TTPs observed aligned to MITRE’s ATT&CK framework

TTPs observed aligned to MITRE’s ATT&CK framework

Table 1 – TTPs observed aligned to MITRE’s ATT&CK framework


SCILabs considers that the danger of this campaign lies in three main aspects:

  • Quick update of its droppers and TTP during the infection chain.
  • This threat could be used to deploy other types of more dangerous malware like ransomware that can cause more significant damage to organizations.
  • The artifacts used have a very low detection rate by antivirus solutions.

During the investigation of this threat, SCILabs noticed a notable group of characteristics that are not present in other campaigns, such as:

  • The use and injection of JavaScript code; target only of Mexican users, probably distributed by phishing emails.
  • Installation of a malicious Chrome extension.
  • Man-in-the -Browser attack.
  • The impersonation of legitimate sites of many Mexican banks.

This attack could be especially effective because most users do not usually have control of the Google Chrome browser and its plugins or extensions.

SCILabs believes that due to the effectiveness of the techniques used to carry out the Man-in-the-Browser attack, we will continue to see similar campaigns throughout the rest of the year.

Finally, SCILabs recommends performing the following actions:

  • Adding the indicators of compromise reflected in this report to your security solutions
  • Conduct a threat hunting for malicious add-ons or extensions on company browsers
  • Have a strict policy regarding using and installing plugins or extensions, especially in Google Chrome
  • Look for suspicious files with names like js, 8vZ9d1-ad.js, or SAT_Policy.js
  • Look for suspicious folders or files created under %APPDATA%, %LOCALAPPDATA%/TEMP, and %LOCALAPPDATA%
  • Search for Chrome browser shortcuts that use the –load-extension parameter to execute malicious code or extensions.

It is also essential to carry out awareness campaigns about the proper use of Internet access tools and the diffusion of social engineering techniques used by cybercriminals to distribute malware.



Hash MD5

















































































Filesystem Paths






Observables IOC


Hash MD5