{"id":402,"date":"2023-02-14T01:04:08","date_gmt":"2023-02-14T01:04:08","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=402"},"modified":"2023-02-14T01:04:08","modified_gmt":"2023-02-14T01:04:08","slug":"new-campaign-red-appaloosa-targeting-mexico-and-distributing-a-banking-trojan","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2023\/02\/14\/new-campaign-red-appaloosa-targeting-mexico-and-distributing-a-banking-trojan\/","title":{"rendered":"New campaign Red Appaloosa targeting Mexico and distributing a banking trojan"},"content":{"rendered":"

\"Logo<\/h1>\n

Overview<\/h1>\n

The following report provides TTPs and IoCs used in a malware campaign targeting Mexico distributing a banking trojan, which SCILabs named Red Appaloosa<\/em> based on its different characteristics. These new indicators were obtained from security monitoring and threat hunting in the region during the first week of January 2023.<\/p>\n

The propagation method of this threat is mainly done through phishing emails trying to impersonate different institutions and using pretexts such as invoices, and payment receipts, among others.<\/p>\n

In this campaign, SCILabs recovered a PDF file attempting to impersonate the Mexican electricity utilities Comision<\/em> Federal de Electricidad <\/em>(CFE) using a payment receipt as a pretext. The importance of this update is the fact that this malware campaign continues using the TTPs characteristic of other threats, such as URSA\/Mispadu<\/em> (banking trojan), Grandoreiro<\/em> (banking trojan), and Banload<\/em> (dropper).<\/p>\n

The main objective of this threat is to steal banking information from multiple financial institutions of customers located in Mexico, the USA, and Portugal, including Banco Azteca, CaixaBank, Banco de Portugal, Banco Efisa, Banco Inmobiliario Mexicano, Banco Bancrea, Banco Finterra, Banco De Confianza, Banco Autofin, Banco Actinver, Scotiabank, Activobank, Orange Bank, American Express Bank, and Intercam Banco, however, based on the monitoring of the region, there is a possibility that shortly, they may attempt to steal information from financial institutions with a presence in other countries, both in LATAM and other countries in the world.<\/p>\n

Considering that the campaign is apparently in an experimental phase and is under development, the objective of this document is to present all the information available so far to allow organizations to identify and recognize in a preventive way the behavior of this banking trojan, as well as its TTPs and IoCs, to avoid becoming a victim of this threat.<\/p>\n

It is important to mention that SCILabs will continue to track this threat, and this report will use information already known in a general way only to provide context on the new findings.<\/p>\n

<\/a>How could it affect an organization?<\/h1>\n

The main objective of Red Appaloosa<\/em> is to steal banking information from multiple financial institutions of all types of users, including employees of organizations, so if an attack is successful inside an organization, it could compromise the confidentiality, availability, and integrity of the company’s information because the extracted data can be leaked or sold on the black market or the Dark Web, which could cause economic and confidence losses for the victim companies.<\/p>\n

<\/a>Analysis<\/h1>\n

Threat context<\/h4>\n

SCILabs observed Red Appaloosa <\/em>during the monitoring and threat hunting in the region during the first week of January 2023; in addition, SCILabs have monitored this threat since November 2022.<\/p>\n

Although in this campaign, SCILabs was not able to recover the email that triggered the infection, in other campaigns it was observed that the distribution begins through phishing emails containing URLs and\/or PDF or HTML files attached, with various pretexts, related to the payment of invoices, the validity of rights, digital tax receipts, and payment receipts, among others. After observing the impersonated organization (CFE), the SCILabs team was able to determine with a high level of confidence that this campaign is targeting Mexico.<\/p>\n

The objective of the PDF recovered by SCILabs is to redirect the victim to a website to download a compressed file in ZIP format containing a greater than 300MB EXE. Upon execution, a CAPTCHA validation is displayed on the screen, and once resolved, the following stages of the malware, described later in this report, begin.<\/p>\n

Finally, it tries to communicate with the C2 server and waits for the user to log in to certain bank’s portal to steal their banking information.<\/p>\n

Technical Summary<\/h4>\n

The PDF file recovered by SCILabs with the name “CFE_PENDIENTES_Factura1593365.pdf<\/strong>” pretends to impersonate the CFE by duplicating one of its receipts in a blurred form and with the caption “Ver Factura Completa<\/em>“. The image has a hyperlink inside, which, unlike the one reported by SCILabs in December, does not use URL shorteners or QR generators. Clicking on any part of the alleged receipt initiates downloading a compressed file in ZIP format.<\/p>\n

\"PDF<\/p>\n

Figure 1 \u2013 PDF file with an alleged CFE receipt<\/p>\n

The compressed file contains an executable file, and a second compressed file contains a Firefox installer, in which no malicious behavior has been observed, and its functionality in the infection chain has not been determined.<\/p>\n

\"Compressed<\/p>\n

Figure 2 \u2013 Compressed file content<\/p>\n

When executing the file named “A72351623012034.exe” a CAPTCHA validator is displayed, which seeks to evade sandbox security solutions by forcing human interaction to continue with the malware execution. It is important to note that this window cannot be closed if the CAPTCHA is not resolved or is resolved incorrectly.<\/p>\n

\"CAPTCHA<\/p>\n

Figure 3 \u2013 CAPTCHA validator used by the malware<\/p>\n

After the validation of the CAPTCHA, it starts downloading a MPEG format file named jama22bg; although it looks like a video, this artifact is a compressed file, which contains two directories, an installer and three DLLs (one of them malicious and over 500MB).<\/p>\n

To decode this supposed video, the malware uses the VideoLan software. The final archive is password protected, and SCILabs has not yet been able to determine the password.<\/p>\n

\"Content<\/p>\n

Figure 4 \u2013 Content of the supposed video<\/p>\n

The malware automatically unzips this artifact and moves the contents to the C:\\Users\\<user>\\<random characters><\/em> directory, then runs the “install.exe” file and attempts to impersonate the NotePad++ text editor.<\/p>\n

The following files are located inside the final directory:<\/p>\n