![\"Logo](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/Logo-BlackStink.jpg\"){kind=logo}
<\/h1>\n<\/h1>\nThe following report provides the TTPs and IoCs of a new malware campaign that SCILabs named BlackStink<\/em><\/strong>. This campaign targets Mexico and was identified during the first week of November. The distribution method is through phishing emails under the pretext of supposed invoices and aims to perform Man-in-the-Browser attacks, misusing the Chrome Browser Cloud Management<\/a> panel to install malicious extensions, supplanting the legitimate Google Documents<\/a> extension.<\/p>\n The main objective of this malware is to steal information from users of different financial institutions, through malicious extensions remotely installed in the Chrome browser.<\/p>\n SCILabs performed a detailed analysis to determine if there is any relationship between this malware and other already known families, which share TTPs such as the use of HTA applications and malicious Google Chrome extensions to perform Man-in-the-Browser attacks, the malware analyzed and compared were BlackDog<\/em><\/a>, Magnant<\/em><\/a>, ViperSoftX<\/em><\/a> and VenomSoftX<\/em><\/a>; however, there was no direct relationship with these threats, so due to its characteristics we named this malware as BlackStink<\/em><\/strong>.<\/p>\n Finally, it is important to mention that the artifacts identified during the infection chain of this campaign are not found in the VirusTotal platform.<\/a><\/p>\n The main objective of this campaign is to perform a Man-in-the-Browser attack to steal banking information from the victim. In addition, the attackers could install additional extensions with capabilities observed in other campaigns<\/a>, for example, monetize user traffic by redirecting it to external domains, redirecting to phishing or adware sites, among others. If an attack by this malware is successful, it potentially could cause economic and reputational losses to the organization, because the cybercriminals could misuse the information obtained by leaking it or selling it on underground forums or the black market.<\/p>\n During the first week of November, 3 emails were retrieved from our cyber-ecosystem, all of them indicating that a CFDI file and a key for the document were attached.<\/p>\n Figure 1 \u2013 Phishing email<\/strong><\/p>\n The attachment was a PDF file that attempted to persuade the user to download an additional file by displaying the message “El archivo ha sido protegido con contrase\u00f1a y no puede ser mostrado. Vea el archivo en su PC.<\/em>“, when clicking on “Descargar Documento<\/em>” it redirects to the URL hxxps[:\/\/]websylvania[.]com\/cfdi\/? e4e1fec0a9259fd2a07f4c6bc5577087e4e1fec0a9259fd2a07f4c6bc5577087e4e1fec0a9259fd2a07f4c6bc5577087<\/strong>, where the download of a RAR file starts.<\/p>\n Figure 2 \u2013 PDF attached in the email<\/strong><\/p>\n The downloaded file was protected with a password, so at the moment of decompressing it, the password mentioned in the email and in the PDF file must be used, this password may change depending on the email. In the content of the compressed file there was a shortcut that aimed to execute a PowerShell script to start the malware infection chain.<\/p>\n Figure 3 \u2013 Shortcut properties<\/strong><\/p>\n The shortcut contains a PowerShell script with the following code:<\/p>\n This line of code is responsible for starting a PowerShell instance to execute a remote file from the URL hxxps[:\/\/]websylvania[.]com\/hydra\/user[.]hta<\/strong>, abusing the Windows utility mshta.exe<\/a>, which is designed to run HTA-type applications.<\/p>\n This block of code gets the path where the shortcut was extracted, once the execution is finished, it deletes this file from the compromised device.<\/p>\n The HTA file executed during the infection chain contains an obfuscated Visual Basic script, which is responsible for executing additional PowerShell commands.<\/p>\n Figure 4 \u2013 Obfuscated VBS code block in the user.hta file<\/strong><\/p>\n Figure 5 \u2013 Obfuscated PowerShell commands<\/strong><\/p>\n There are obfuscated strings in base64 in the PowerShell commands embedded in the code, once these strings are decoded, a PowerShell script is obtained. In general, the script is responsible for performing the following actions:<\/p>\n Figure 6 \u2013 Deobfuscated PowerShell script<\/strong><\/p>\n The user.ps1 file performs the following actions:<\/p>\n Figure 7 \u2013 Block of code from the user.ps1 file<\/strong><\/p>\n If the registry key was successfully created, the victim’s Chrome browser is added to a Google cloud management console, which allows the console administrator to define the usage policies on the registered browsers, as well as the installation of extensions from the Chrome Web Store or from an external URL where the application is stored.<\/p>\n The operators of this malware install two extensions on the compromised computer’s browser, which impersonate the Google Documents application. Both extensions cannot be removed or disabled by the user, on the details page of these applications one can see that the source is external to the Chrome Web Store and the permissions are \u201cRead and change all the data on the websites you visit\u201d.<\/p>\n Figure 8 \u2013 Malicious Chrome extensions<\/strong><\/p>\n Figure 9 \u2013 Details of the malicious Chrome extension<\/strong><\/p>\n A static analysis of the extensions revealed the following URLs:<\/p>\n When analyzing these domains, we found characteristics observed in malware campaigns, for example, all 3 domains have been recently registered and their certificates have been provided by Let’s Encrypt, which is an organization that provides free certificates. It is common to find certificates emitted by this organization on web pages used by cybercriminals to distribute malware.<\/p>\n Figure 10 \u2013 Domains found in the JS files of the malicious extensions<\/strong><\/p>\n Figure 11 \u2013 Information of the domain gemsrail[.]com<\/strong><\/p>\n Figure 12 \u2013 Certificates of the domain gemsrail[.]com<\/strong><\/p>\n When visiting a banking website found in the validation list of the malware and providing the login data, an object called “Check” is created, which contains the information submitted by the user. Additionally, a JavaScript object called “Result” of Promise<\/a> type can be observed, which has not been resolved and has a pending status, this may be due to some validation that did not get a valid response for the malware.<\/p>\n At the time of writing this report, we have not observed additional malicious behavior from these extensions because the attacker’s infrastructure may not be available, so it is not possible to determine with certainty all the capabilities of the malware, however, based on our experience and research, SCILabs hypothesizes that once the victim submits access credentials on a banking website, these will be collected and shared with the C2 of the cybercriminals.<\/p>\n Figure 13 \u2013 JavaScript object Check in which the card number submitted can be observed<\/strong><\/p>\n Figure 14 \u2013 JavaScript Result object with pending status<\/strong><\/p>\n Figure 15 \u2013 Attack flow<\/strong><\/p>\n To determine if this threat is a new campaign, SCILabs team researched in public sources different campaigns that could be related to this campaign, finding similarities in some of them, such as:<\/p>\n After this investigation, SCILabs team determined that despite the similarities, none of the analyzed campaigns used the same TTPs during their infection chain, so based on its characteristics, SCILabs named this malware as BlackStink<\/em><\/strong>.<\/p>\n Table 1 – TTPs observed aligned to MITRE\u2019s ATT&CK framework<\/strong><\/p>\n During the investigation of this threat, SCILabs noticed that the main feature that differentiates it from other campaigns that use malicious Chrome extensions to perform Man-in-the-Browser attacks is the use of the Chrome Browser Cloud Management panel, a tool that allows them to have complete control over the registered browser. The remote installation of Google Chrome extensions, which cannot be disabled or uninstalled by the affected victim, is one of the aspects that make this threat especially dangerous, since the operators of this malware could install additional extensions, with capabilities observed in other malware that use Chrome extensions in their infection chain, for example, keylogging or adding the infected device to a Botnet, as is the case of Cloud9<\/a>.<\/p>\n In addition, this attack could be very effective because most users of any type of organization do not usually have control of the Chrome browser and its installed extensions. Due to this and the effectiveness of the techniques used by this threat, SCILabs assures with a high level of confidence that we will continue to see similar campaigns throughout the rest of the year, as well as the evolution of its TTPs and infrastructure updates.<\/p>\n Finally, SCILabs recommends taking the following actions:<\/p>\n Hash MD5 <\/strong><\/p>\n 1B11BA3ECEEE4E9F4579A45DA95F11AD<\/p>\n 1719A49709FD453A1B2934E3E4EAFC26<\/p>\n 26DD848E6E7EAEE8971FCCD4E6C9B332<\/p>\n 2F483280491A0FCF27194322F22FAF7B<\/p>\n 6E40E3CEAA3B8FDBD1ECF93F930FE4CA<\/p>\n 842D09A2BF09D43F75D8AB498D1C3DB4<\/p>\n B11354D793B996A038D548BC6B0E4D4A<\/p>\n 8F1546582A0CF7A3B08881D6C3C18EC0<\/p>\n 7423E4B568EBB415FF916D5CB99AC9C0<\/p>\n DD18F251324C25C7D712DC0FE0424C6E<\/p>\n F5738B01C9110A68DA58A00C558B2528<\/p>\n 71F2513CA9AB2631B5F9B4B571AA3E13<\/p>\n E8737AFBABDCA29481E4AF8071389602<\/p>\n 31F65612BB67F7A11E1D77094DC38A26<\/p>\n <\/p>\n Extensions ID<\/strong><\/p>\n BJPNNPIFELIGGNMLEMIEOFJLGFGCPCHB<\/p>\n LBNJIBNKOJIIIIKEAGBPMLDLBBLANOPO<\/p>\n <\/p>\n File Names<\/strong><\/p>\n ENVIO_CFDI_28449.PDF<\/p>\n CFDI_956623.RAR<\/p>\n CFDI_SAT.GOB.MX<\/p>\n 15747.HTA<\/p>\n USER.HTA<\/p>\n 74B6.PS1<\/p>\n USER.PS1<\/p>\n CMSTP.INF<\/p>\n CHECK.TXT<\/p>\n BACKGROUND.JS<\/p>\n BACKGROUND.JS.LICENSE.TXT<\/p>\n INDEX.JS.LICENSE.TXT<\/p>\n INDEX.HTML<\/p>\n INDEX.JS<\/p>\n MANIFEST.JSON<\/p>\n <\/p>\n Domains<\/strong><\/p>\n WEBSYLVANIA[.]COM<\/p>\n UPDATE[.]PIXELCDNJS[.]COM<\/p>\n APESTA[.]MICULON[.]COM<\/p>\n PIXEL[.]GEMSRAIL[.]COM<\/p>\n <\/p>\n Malware URLs<\/strong><\/p>\n HXXPS[:\/\/]KH7JV[.]STORE\/?KJN4HG8JBSLHORPICHKJNUEQBWNOCARXMGPJORBUXZKB1JTZMC0HLRWBYAEGGFKJN4HG8JBSLHORPICHKJNUEQBWNOCARXMGPJORBUXZKB1JTZMC0HLRWBYAEGGF<\/p>\n HXXPS[:\/\/]WEBSYLVANIA[.]COM\/CFDI\/?E4E1FEC0A9259FD2A07F4C6BC5577087E4E1FEC0A9259FD2A07F4C6BC5577087E4E1FEC0A9259FD2A07F4C6BC5577087<\/p>\n HXXPS[:\/\/]WEBSYLVANIA[.]COM\/HYDRA\/USER[.]HTA<\/p>\n HXXPS[:\/\/]WEBSYLVANIA[.]COM\/HYDRA\/USER[.]PS1<\/p>\n HXXPS[:\/\/]WEBSYLVANIA[.]COM\/HYDRA\/IT[.]PHP<\/p>\n HXXPS[:\/\/]UPDATE[.]PIXELCDNJS[.]COM\/EXTENSION\/MANIFIEST[.]XML<\/p>\n HXXPS[:\/\/]APESTA[.]MICULON[.]COM\/STATIC\/JS\/COLLECT\/PIXEL<\/p>\n HXXPS[:\/\/]PIXEL[.]GEMSRAIL[.]COM\/STATIC\/JS\/COLLECT\/PIXEL<\/p>\n","protected":false},"excerpt":{"rendered":" Overview The following report provides the TTPs and IoCs of a new malware campaign that SCILabs named BlackStink. This campaign<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-360","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=360"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/360\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>How could it affect an organization?<\/h1>\n
<\/a>Analysis<\/h1>\n
Threat context<\/h4>\n
![\"Phishing](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_1.png\")
<\/p>\n![\"PDF](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_2.png\")
<\/p>\n![\"Shortcut](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_3.png\")
<\/p>\n![\"Code](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/code_1.png\")
<\/p>\n![\"Code](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/code_2.png\")
<\/p>\n![\"Obfuscated](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_4.png\")
<\/p>\n![\"Obfuscated](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_5.png\")
<\/p>\n\n
\n
![\"Deobfuscated](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_6.png\")
<\/p>\n\n
\n
![\"Block](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_7.png\")
<\/p>\n![\"Malicious](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_8.jpg\")
<\/p>\n![\"Details](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_9.png\")
<\/p>\n\n
![\"Domains](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_10.jpg\")
<\/p>\n![\"Information](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_11.png\")
<\/p>\n![\"Certificates](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_12.png\")
<\/p>\n![\"JavaScript](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_13.jpg\")
<\/p>\n![\"JavaScript](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/img_14.png\")
<\/p>\nAttack Flow<\/h1>\n
![\"Attack](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/Attack-Flow-BlackStink.png\")
<\/p>\nTechnical Summary<\/h1>\n
\n
\n
\n
\n
Comparison between BlackStink’s campaign and other well-known campaigns<\/h1>\n
\n
TTPs observed aligned to MITRE\u2019s ATT&CK framework<\/h1>\n
![\"TTPs](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/12\/table_1.png\")
<\/p>\nAssessment<\/h1>\n
\n
IOC<\/strong><\/h1>\n