{"id":293,"date":"2022-08-30T17:33:45","date_gmt":"2022-08-30T17:33:45","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=293"},"modified":"2022-08-30T17:33:45","modified_gmt":"2022-08-30T17:33:45","slug":"new-blackdog-malware-man-in-the-browser-malware-campaign-targeting-mexico","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2022\/08\/30\/new-blackdog-malware-man-in-the-browser-malware-campaign-targeting-mexico\/","title":{"rendered":"New BlackDog malware: Man-in-the-Browser malware campaign targeting Mexico"},"content":{"rendered":"

\"BlackDog<\/h1>\n

<\/a>Overview<\/strong><\/h1>\n

Between the last week of June and the third one of August, SCILabs identified a new malware campaign \u00a0which is being distributed through phishing emails under the pretext of supposed invoices to perform Man-in-the-Browser<\/em> attacks using domains such as kawaitravelmexico[.]com<\/em><\/strong> and facturamx[.]club<\/em><\/strong> supplanting the Servicio de Administraci\u00f3n Tributaria (SAT) in Mexico <\/em>and impersonating sites like hxxp[:]\/\/www[.]sat[.]gob[.]mx.<\/p>\n

Its main objective is to steal information from users of financial institutions, by injecting code into the Chrome browser, via a malicious extension.<\/p>\n

During about five weeks, SCILabs has continued monitoring activities and identified mainly two variants of this campaign that, due to its characteristics, we named BlackDog<\/em><\/strong>. SCILabs carried out multiple investigations to determine if there is any relationship between this malware and other families like Magnant<\/em>, BokBot<\/em>, Chaes<\/em>, and Kronos<\/em>;<\/em> however, we found no relationship between them.<\/p>\n

Finally, it is essential to mention that the artifacts identified by SCILabs used in the infection chain have a low detection rate by antivirus solutions in the VirusTotal <\/em>platform.<\/p>\n

How could it affect an organization?<\/strong><\/h1>\n

The main objective of this campaign is to perform a Man-in-The-Browser<\/em> <\/strong>attack to steal banking information from all types of users. During the infection chain, the attackers could use the droppers identified by SCILabs to download more dangerous malware like ransomware.<\/p>\n

If an attack by this malware is successful, it could cause economic and reputation losses; additionally, cybercriminals could misuse the obtained data by leaking or selling it on underground forums or on the black market.<\/p>\n

Analysis<\/strong><\/h1>\n

Threat Context of the first campaign analyzed in June 2022<\/strong><\/h4>\n

SCILabs identified, in open sources, the facturamx[.]club<\/em><\/strong> domain simulating to be a billing site from Mexico and when carrying out the investigation we recovered the artifact with which the chain of infection began.<\/p>\n

The first malicious artifact identified by SCILabs was feb.hta<\/strong>, downloaded from facturemx[.]mx\/feb.hta<\/em><\/strong> and corresponds to an HTML template with an embedded VBS-type obfuscated script.<\/p>\n

\"First<\/p>\n

Figure 1 – First stage of the malware (HTA file)<\/p>\n

If the victim opens the .hta<\/em><\/strong> file, it runs an obfuscated PowerShell<\/em> script that aims to download and execute the third stage of the malware.<\/p>\n

\"Obfuscated<\/p>\n

Figure 2 – Obfuscated PowerShell script – Second stage of the malware<\/p>\n

The malware creates a scheduled task to execute the file corresponding to the third stage of infection, which is an obfuscated .jse<\/em><\/strong> (JScript Encoded Script Format) type file, that aims to generate persistence and download the artifacts of the fourth stage of the attack.<\/p>\n

\"Schedule<\/p>\n

Figure 3 – Schedule task to execute the third stage of the malware<\/p>\n

 <\/p>\n

\"Third<\/p>\n

Figure 4 – Third stage of the malware (JSE file)<\/p>\n

The .jse<\/em><\/strong> artifact aims to download the following files:<\/p>\n