{"id":358,"date":"2022-12-21T00:39:25","date_gmt":"2022-12-21T00:39:25","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=358"},"modified":"2022-12-21T00:39:25","modified_gmt":"2022-12-21T00:39:25","slug":"new-blackbelen-malware-man-in-the-browser-malware-campaign-targeting-mexico","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2022\/12\/21\/new-blackbelen-malware-man-in-the-browser-malware-campaign-targeting-mexico\/","title":{"rendered":"New BlackBelen malware: Man-in-the-Browser malware campaign targeting Mexico"},"content":{"rendered":"

\"Logo<\/h1>\n

Overview<\/h1>\n

This post aims to describe the TTPs and provide IoCs of a new malware campaign that SCILabs called BlackBelen. SCILabs observed this campaign during threat monitoring in Latin America during the last week of November. This malware aims to carry out a Man-in-the-Browser (MitB) attack by installing malicious extensions hosted on the official Chrome web browser store (Chrome Web Store<\/a>) to steal users’ banking information in Mexico.<\/p>\n

The distribution method identified so far is malvertising<\/a> campaigns, which lead the victim to an apocryphal website of the Secretar\u00eda de Administraci\u00f3n Tributaria<\/em> (SAT), inciting the user to install a malicious extension. Based on various investigations that the SCILabs team has carried out on banking trojans like Mekotio<\/em> or Ursa<\/em>, we do not rule out that phishing campaigns with hyperlinks or attached PDF-type documents are also being used, leading the victim to the malicious site.<\/p>\n

At SCILabs, we have carried out investigations about other malware campaigns related to the installation of extensions, like the BlackDog<\/em><\/a> malware identified by SCILabs for the first time during the last week of June and the BlackStink<\/em><\/a> campaign discovered by us in november, however, although these malware families have some overlaps in their TTPs, so far we have not found sufficient elements that allow us to demonstrate that this one is from the same family, for this reason, this new malware was named BlackBelen<\/em><\/strong>.<\/p>\n

It is essential to mention that the hashes of the scanned artifacts are not available on the VirusTotal platform.<\/p>\n

<\/a>How could it affect an organization?<\/h1>\n

The main objective of this campaign is to carry out a MitB attack so that the attackers can steal information from all types of users, including corporate users. If an attack by this malware is successful, the cybercriminals could misuse the stolen data, leaking it or selling it on underground forums or the Darknet, causing financial and reputational losses to the organization.<\/p>\n

Analysis<\/h1>\n

Threat context<\/h1>\n

While monitoring threats in the region, the URL hxxps[:]\/\/portaldeconexionsegura[.]com\/portal-SAT-enlinea-extension-security\/<\/strong> was identified, which directs visitors to an apocryphal Mexican SAT site.<\/p>\n

Once a user enters the fake site, a modal<\/a> window is displayed, inciting the victim to install a malicious extension on the Chrome or Edge browser under the pretext of being a tool for the safe use of the SAT mailbox.<\/p>\n

\"\"<\/p>\n

Figure 1 \u2013 Apocryphal SAT website<\/strong><\/p>\n

The victim is redirected to the Chrome Web Store if the user clicks the \u201cAgregar Extensi\u00f3n Segura<\/em>\u201d button and uses the Chrome web browser. If the victim uses a different browser, for example, Edge, the button redirects to another apocryphal website.<\/p>\n

It is essential to mention that the Edge web browser allows installing extensions from the other browser stores if the user accepts the permissions.<\/p>\n

\"\"<\/p>\n

Figure 2 \u2013 Malicious extension website<\/strong><\/p>\n

Once the extension is installed in a Chrome or Edge browser, it will have permission to read and modify all data on all websites. The extension has two features:<\/p>\n

    \n
  1. Show a window with an “optimized and safe” browsing message<\/li>\n
  2. Open a browser console pop-up window<\/li>\n<\/ol>\n

    It is important to mention that unlike other malware campaigns such as BlackDog<\/em> and BlackStink<\/em>, this extension allows uninstallation by the user and does not use anti-debugging scripts as in the case of BlackDog<\/em>. For these reasons, in addition to the fact that browser console usage is not typically targeted at end users, we hypothesize that the adversary is in the development phase of this malware. The attacker will likely use the browser console pop-up to debug the malware’s capabilities.<\/p>\n

    \"\"<\/p>\n

    Figure 3 \u2013 Google Chrome extension installed<\/strong><\/p>\n

    \"\"<\/p>\n

    Figure 4 – Extension features<\/strong><\/p>\n

    By analyzing the extension, we identified various files, including JavaScript-type scripts from some Plugins and libraries such as React, and the malicious code of the extension. Finally, the files are “minified<\/a>” and slightly obfuscated.<\/p>\n

    The most relevant files for this investigation are presented below:<\/p>\n

      \n
    1. popup.bundle.js<\/strong>: It contains the \u201cminified\u201d scripts of the React<\/a> JavaScript library used by the adversary to manipulate the browser and perform JavaScript operations such as communication to C2 over Web Sockets<\/a>.<\/li>\n<\/ol>\n

      \"\"<\/p>\n

      Figure 5 – React library source code snippet<\/strong><\/p>\n

        \n
      1. 00c0035238bc9aceb757.js<\/strong>: It contains JavaScript code that uses the chrome.debugger API<\/a> that serves as an alternative transport for the remote debugging protocol<\/a> and can be used to mutate DOM and CSS code, among other things. This code is probably used by the attacker to monitor the operation of the malware or make modifications to the DOM.<\/li>\n<\/ol>\n

        \"\"<\/p>\n

        Figure 6 – Source code snippet where the chrome.debugger API is used<\/strong><\/p>\n

          \n
        1. background.bundle.js:<\/strong> It contains modified code from the Socket.IO<\/a> library used by the attacker to perform two-way real-time communication with C2.<\/li>\n<\/ol>\n

          \"\"<\/p>\n

          Figure 7 \u2013 Source code snippet<\/strong><\/p>\n

          Once the malicious extension is successfully installed, when the victim browses the internet, the data will be sent to C2 in real time; if the page visited corresponds to a banking site, it will redirect to an apocryphal website to steal the victim’s banking credentials.<\/p>\n

          It is important to mention that we could only emulate the attack with the Citibanamex banking institution during the dynamic analysis.<\/p>\n

          \"\"<\/p>\n

          Figure 8 \u2013 Apocryphal Citibanamex Website<\/strong><\/p>\n

          An important point to mention is that during the analysis, we identified the use of Spanish words at different stages of the infection, such as \u201cx-amor-es\u201d, \u201cbelen-y-draken\u201d, \u201cLa pongo en true\u201d, \u201cDistintos estados detectados\u201d, \u201cAparentemente cambio el pedo\u201d, \u201cLa regreso a false\u201d. <\/em>Therefore, we hypothesize that due to their knowledge of the relevant institutions in Mexico and the slang used, the adversary is originally from Mexico.<\/p>\n

          \"\"<\/p>\n

          Figure 9 – Slang used by the attacker in the browser console<\/strong><\/p>\n

          Additionally, we identified that on one of the servers used by the attacker, there were phishing templates used to steal credentials from email providers such as Outlook, Gmail, and Yahoo, so it is likely that there are also active campaigns to steal access by part of the same attacker targeting users in Mexico.<\/p>\n

          \"\"<\/p>\n

          Figure 10 \u2013 Phishing Template<\/strong><\/p>\n

          Finally, during the investigation, we identified that the template used to impersonate the SAT is very similar to the one used by BlackDog<\/em>. In open sources<\/a>, we identified a template with a file download modal as BlackDog<\/em> does; however, they do not share additional TTPs, and so far, they do not share infrastructure with BlackDog<\/em> or another family of malware that uses malicious Google Chrome extensions.<\/p>\n

          The similarity of the templates used could indicate that the threat actor behind BlackDog<\/em> is the same one behind this threat; however, the trust level is low. Up to now, we have yet to find enough elements to demonstrate that it is from the same family; for this reason, this new malware was named BlackBelen<\/em><\/strong>.<\/p>\n

          \"\"<\/p>\n

          Figure 11 – Template hosted in the SAT apocryphal domain identified in open sources<\/strong><\/p>\n

          Technical summary<\/h1>\n