Since February 2023, several public investigations have provided information on other threats named in some external investigations, such as Porongona<\/em><\/a>, Botnet Fenix<\/em><\/a>, and Manipulated Caiman<\/em><\/a>, apparently new in-the-wild. However, after a meticulous analysis carried out by SCILabs, various overlaps were identified between the TTPs (Tactics, Techniques, and Procedures) of these recently revealed threats and the already known banking trojan URSA\/Mispadu<\/em>. As was published in May 2023 in the post “Evolution of the URSA\/Mispadu banking Trojan<\/em><\/a>” it is a threat that implements constant changes in its infection chain.<\/p>\n In this publication, SCILabs shows an exhaustive analysis of the overlaps in the TTPs, which has allowed us to assert, with a medium level of confidence, that the Porongona<\/em>, Botnet Fenix<\/em>, and Manipulated Caiman<\/em> threats are essentially part of the operation of the Malteiro<\/em> threat group. Its objective is the theft of confidential information, especially banking data, belonging to users of various financial institutions in Latin America; and its distribution method is the use of phishing emails under pretexts such as pending invoices or tax matters.<\/p>\n Finally, in a region as interconnected as Latin America, where financial institutions are vital for economic stability, understanding the nature and origin of malware is crucial for a proactive response to the various threats that affect the region.<\/p>\n If an attack from any of these threats or those with similar capabilities is successful within an organization, it could result in substantial financial losses for both the organization and its users, affecting the trust of financial institutions and negatively impacting the industry. Additionally, leaking victims’ confidential information on Dark Web forums and the black market could lead to legal issues and exposure of sensitive personal data, which could cause reputational damage to organizations.<\/p>\n Since early February 2023, some cybersecurity firms have investigated apparent new threats in LATAM, which were made known in various public sources, with names such as Porongona<\/a><\/em>, Botnet Fenix<\/a><\/em>, and Manipulated Caiman<\/a><\/em>. For this reason, SCILabs has followed up on these threats and analyzed their TTPs, which resulted in these campaigns being related to the URSA\/Mispadu<\/em> banking trojan and the operation of the Malteiro<\/em> threat group.<\/p>\n <\/p>\n Figure <\/strong>1<\/strong> \u2013 Posts from public sources related to emerging threats<\/strong><\/p>\n Some of the characteristics why SCILabs considers that other security firms classified these threats as new malware families or campaigns is that they make use of different types of droppers such as BAT, LNK, URL, and JSE files, along with the “file:\\\\” protocol during the infection chain, which was not expected to see in known threats such as URSA\/Mispadu<\/em>. Generally, this malware used droppers developed in Visual Basic Script and artifacts such as deploying a Botnet, an SMTP Bot, and an AutoIt script that functions as a stealer.<\/p>\n Porongona<\/em><\/strong><\/p>\n Porongona<\/em> is malware identified in public sources<\/a> as an emerging threat in February 2023. However, SCILabs identified overlaps in its TTPs with the URSA\/Mispadu<\/em> trojan.<\/p>\n The following figure shows the comparison of two BAT-type droppers: on the left side, the code identified in public investigations of Porongona<\/em> at the beginning of 2023 is observed; on the right side, one of the URSA\/Mispadu<\/em> dropper identified by SCILabs in mid-2022.<\/p>\n Figure <\/strong>2<\/strong> – URSA\/Mispadu <\/em>Droppers<\/strong><\/p>\n As the images show, both source codes are similar, with slight differences, like the name of variables and the name of the payloads installed on the infected computer. However, the objective is the same: install and run a dropper developed with AutoIt that seeks to steal credentials from the Outlook email client and information from the Google Chrome browser, such as browsing history and the credentials stored in it, to install the URSA\/Mispadu<\/em> Trojan later, as was documented in research on the evolution of this threat published on the SCILabs blog<\/a>.<\/p>\n The following image compares the source code of the AutoIt scripts related to the Porongona<\/em> threat and the URSA\/Mispadu<\/em> trojan, which SCILabs analyzed. The following points can be observed:<\/p>\n Figure <\/strong>3<\/strong> – Above, Porongona’s<\/em> AutoIt code; below, URSA\/Mispadu <\/em>AutoIt code<\/strong><\/p>\n SCILabs has identified variations in the URSA\/Mispadu<\/em> infection chain using BAT-type droppers and AutoIt script variants<\/a>. Sometimes, in addition to acting as a stealer, the AutoIt script (before the infection with URSA\/Mispadu<\/em>) installs a backdoor with a .xls extension, which is executed as an Assembly<\/a>, that is, using the Fileless technique<\/a> using PowerShell: This same technique was also documented in Porongona’s<\/em> external research to search and access SMTP servers with known users and weak passwords, both developed in C# .NET. This functionality was also documented in the Manipulated Caiman <\/em>public investigation, which SCILabs describes below.<\/p>\n Botnet Fenix<\/em><\/strong><\/p>\n Botnet Fenix<\/em> is a threat identified in public investigations<\/a> as an emerging Botnet, active since the end of 2022. The publications of this threat began to make the media in May 2023, so SCILabs carried out an investigation on the overlap with the URSA\/Mispadu<\/em> operation and the Red WinterDog<\/em><\/a> threat group.<\/p>\n Figure 4 illustrates the appearance of a Botnet Fenix<\/em> dropper published in open sources. This type of dropper is also used by Red WinterDog<\/em> to distribute the BlackDog<\/em><\/a> trojan and was identified by SCILabs in early 2023.<\/p>\n Perception Point also reported this type of artifact in the public investigation<\/a> of the Manipulated Caiman <\/em>threat. SCILabs identified multiple overlaps with the URSA\/Mispadu<\/em> trojan, which are mentioned below.<\/p>\n Figure <\/strong>4<\/strong> – <\/strong>Botnet Fenix<\/em><\/strong> dropper (The image was shown at the Fenix botnet public investigation)<\/strong><\/a><\/p>\n During constant monitoring, SCILabs identified the URSA\/Mispadu<\/em><\/a> trojan and the use of JSE-type files as droppers. This point is critical because some cybersecurity companies published JSE and LNK-type droppers in their investigations, which aim to download and execute a PowerShell script from a URL almost identical to the Endpoint Web<\/a> structure \u201cexecution.php?tag=[russian|tribu]<\/strong>\u201d.<\/p>\n In the case of the most observed URSA\/Mispadu<\/em> campaigns, SCILabs identified that downloading the PowerShell script mentioned above is done via one of its droppers with an AutoIt script.<\/p>\n Figure <\/strong>5<\/strong> – Porongona <\/em>dropper<\/strong><\/p>\n The mentioned script has the objective of installing a Botnet<\/a> and a Backdoor. SCILabs observed, since September 2022, URSA\/Mispadu<\/em> campaigns downloading an additional artifact (.xls extension) with Backdoor capabilities, which is executed as an Assembly using PowerShell, in addition to an artifact used to gain access to SMTP servers with weak credentials; this same artifact is mentioned in the Perception Point research.<\/p>\n Additionally, the investigation by “Bolsa de Santiago” mentions that they observed different versions of the Porongona<\/em> malware, using, for example, VBS files as a dropper, as URSA\/Mispadu<\/em> commonly does.<\/p>\n Figure <\/strong>6<\/strong> \u2013 PowerShell script<\/strong><\/p>\n It is important to highlight that there are overlaps between the infrastructure reported in the Botnet Fenix<\/em> investigation and the URSA\/Mispadu<\/em> campaigns tracked by SCILabs, such as the use of \u201c.top\u201d domains and words like \u201crussian.\u201d, \u201cbra[other text]\u201d, as well as the Web EndPoint structure \u201c\/bra[other text]\/post.php<\/strong>\u201d (the prefix \u201cbra\u201d could be associated with the country of origin of the URSA\/Mispadu<\/em> malware, Brazil).<\/p>\n As an example, in the Fenix Botnet research<\/a>, the URL HXXPS[:]\/\/RUSSIANCL[.]TOP\/BRAMX\/POST[.]PHP<\/strong> is mentioned. Additionally, in November 2022, SCILabs identified the URL HXXPS[:]\/\/RUSSIANMEN75[.]TOP\/BRAZOOKA\/POST[.]PHP<\/strong> as part of the infrastructure used in the URSA\/Mispadu<\/em> campaign.<\/p>\n Manipulated Caiman<\/em><\/strong><\/p>\n Manipulated Caiman<\/em> is the name Perception Point assigned to the threat actor it identified in early August. Its primary goal is to distribute the URSA\/Mispadu<\/em> banking trojan and install additional malware, such as an SMTP Bot and SPAM client.<\/p>\n As mentioned, SCILabs has constantly monitored the URSA\/Mispadu<\/em> banking trojan campaigns, so its constant and gradual evolution has been observed. In September 2022, the infection chain mentioned by Perception Point was identified by SCILabs, including the use of an additional dropper with stealing capabilities and installing malware, for example, the SMTP Bot.<\/p>\n Although there are slight differences between the infection chain mentioned by Perception Point and those commonly analyzed by SCILabs, such as the use of a URL-type dropper and payloads named as supposed JPG-type images, it is common for these types of changes to occur in most of the banking Trojans that affect the region and that even replicate themselves in other threats, as we have observed with Grandoreiro<\/em> and Red WinterDog<\/em>. Everything indicates that this is another campaign, related to the operation of the Malteiro<\/em><\/a> threat group, profiled by SCILabs in 2021.<\/p>\n Below, we present some of the most significant overlaps between Manipulated Caiman<\/em> and URSA\/Mispadu<\/em> identified by SCILabs that allowed us to formulate the hypothesis that it is a Malteiro<\/em> campaign.<\/p>\n In its investigation, Perception Point mentioned that it observed the payloads of an AutoIt executable, and a script (also an AutoIt dropper) encoded in two base64 certificates. Malteiro<\/em> implemented this technique to distribute the URSA\/Mispadu<\/em> trojan since at least September 2022.<\/p>\n Figure <\/strong>7<\/strong> – On the left, the payload identified by Perception Point; on the right, the payload reported by SCILabs in 2022<\/strong><\/p>\n In the Manipulated Caiman<\/em> investigation, a dropper and URLs with identical Endpoints are observed as have been seen by SCILabs in Malteiro<\/em> campaigns since 2022; said dropper has stealer capabilities and the objective of installing additional artifacts.<\/p>\n Figure <\/strong>8<\/strong> – On the left, a code fragment analyzed by Perception Point; on the right, code analyzed by SCILabs<\/strong><\/p>\n One of the droppers, analyzed in the investigation by Perception Point, contains multiple validations identical to those reported by SCILabs since it began monitoring the URSA\/Mispadu<\/em> trojan in 2021. The profiling of the Malteiro<\/em> threat group, the verification of virtualized environments, the languages of the operating system, the verification of the computer name \u201cJOHN-PC<\/strong>,\u201d and even the order of these verifications are identical to those always observed in the URSA\/Mispadu<\/em> campaigns.<\/p>\n Although in this campaign, an artifact developed with Visual Basic was used as a dropper, and in other campaigns, the same dropper developed with Visual Basic Script was observed, this is typical in Malteiro<\/em> campaigns.<\/p>\n <\/p>\n Figure <\/strong>9<\/strong> – Fragment of Perception Point research<\/strong><\/p>\n The Manipulated Caiman<\/em> investigation mentions the device used to gain access to SMTP servers through weak usernames and passwords. SCILabs observed 2021 the same artifact in using the same users and passwords, even in the same order.<\/p>\n Figure <\/strong>10<\/strong> – On the left side, the artifact reported by Perception Point; on the right side, the artifact analyzed by SCILabs.<\/strong><\/p>\n <\/p>\n Although the points mentioned above are the most notable, they are not the only ones; SCILabs, for its part, identified overlaps even in the infrastructure documented in the Manipulated Caiman<\/em> investigation, such as using the russk22[.]icu<\/strong> domain.<\/p>\n It is worth mentioning that Perception Point said, in its investigation, that it observed that the threat actor named by them as Manipulated Caiman<\/em> installed malicious extensions in the Chrome or Edge browsers, just as the Red WinterDog<\/em> threat actor does. However, in the published research, SCILabs did not observe conclusive evidence about this statement, so it is hypothesized that the identification in public investigations of URL, JSE, and LNK type droppers and the \u201cfile:\\\\<\/strong>\u201d protocol commonly observed in Red WinterDog<\/em> campaigns distributing malicious extensions, as well as the use of droppers developed with .NET, may have caused forks in campaign attribution. This hypothesis has a medium level of confidence because it is necessary to continue observing the evolution of this threat in the coming months.<\/p>\n Overlapping with other threats<\/strong><\/p>\n Through permanent threat monitoring in the LATAM region, SCILabs has constantly observed some overlaps in campaigns of various malware families such as URSA<\/em>\/Mispadu<\/em>, Grandoreiro<\/em>, Mekotio<\/em>, and BlackDog<\/em><\/a>, like the use of URL, LNK type droppers, executables pretending to be CAPTCHA validators, and also in infrastructure with the use of the domains russk21[.]icu<\/strong>, miningrus1[.]click<\/strong>, miningrus1[.]site<\/strong> and moscow77[.]online<\/strong> or similar. These domains have been observed in telemetry in different malware campaigns, such as Catasia<\/em><\/a>, Neurevt<\/em><\/a>, BlackParty<\/em><\/a>, and Amadey<\/em><\/a>, suggesting the rental, purchase, and infrastructure sharing between threat actors and malware operators.<\/p>\n SCILabs considers that the above may be part of the constant effort of adversaries to evolve their techniques to increase the effectiveness rate of their attacks and optimize resources. This could even imply collaboration between various threat actors. However, SCILabs must continue researching the modus operandi of the different malware families to conclude with high confidence.<\/p>\n Context conclusion<\/strong><\/p>\n The introduction of Botnet Fenix<\/em>, Manipulated Caiman<\/em>, and Porongona<\/em> since February 2023 in the LATAM threat landscape and their analysis reveals that the apparent differences are masking a deeper connection with the Malteiro<\/em> operation and the URSA\/Mispadu<\/em> trojan. This contextualization reinforces the notion that the observed variations could be evolutionary strategies of the same adversary. In the next section, we present the analysis of the overlaps between URSA\/Mispadu<\/em> and the threats mentioned above.<\/p>\n Analysis of URSA\/Mispadu overlaps with other threats.<\/strong><\/p>\n The following TTP analysis is one of the pillars on which SCILabs relied to determine with a medium level of confidence that Manipulated Caiman<\/em>, Botnet Fenix<\/em>, and Porongona<\/em> are different manifestations of the Malteiro<\/em> operation and the URSA\/Mispadu<\/em> banking trojan. The overlaps observed between the multiple investigations of these threats were considered in the following table.<\/p>\n Table 1 – Overlaps between URSA\/Mispadu<\/em>, Manipulated Caiman<\/em>, Porongona<\/em> and Botnet Fenix<\/em><\/strong><\/p>\n Finally, SCILabs determined that there are between 9 and 16 overlaps in the threats described in this report, with Manipulated Caiman<\/em> being the one that shows the most coincidences with a total of 16, Porongona<\/em> with a total of 14, and Botnet Fenix<\/em> with a total of 9 coincidences. The fact that there are so many overlaps between these threats means that it is highly probable that they are just different manifestations of URSA\/Mispadu<\/em> since, although they have different behaviors in some parts of their attack flow, it is difficult for other banking trojans to share so many overlaps.<\/p>\n Below is a diagram of the general operation of the threats described in this document, pointing out the overlaps between the infection chains of the threats mentioned.<\/p>\n Figure 11 \u2013 Attack Flow<\/strong><\/p>\n <\/p>\n In the previous Figure, different boxes listed in other parts of the flow of the diagram can be observed. To do this, SCILabs has made hypotheses for each of them about the reason(s) why different investigations considered it a new threat.<\/p>\n 1. Start of the infection chain<\/strong><\/p>\n SCILabs observed that the start of the infection chain of Manipulated<\/em> Caiman<\/em> and Botnet Fenix<\/em> is similar, and as well, the attack flow used by Red WinterDog<\/em> in the BlackDog<\/em> variant documented in May of this year.<\/p>\n Medium level of confidence: Different threat groups and malware operators have likely started using some framework to distribute and operate malware acquired under the Malware-as-a-Service business model.<\/p>\n Low level of confidence: Red WinterDog<\/em> is related in some way to Malteiro<\/em>, acquiring malware developed by the latter to increase its reach and revenue.<\/p>\n 2. Manipulated Caiman<\/em><\/strong>:<\/strong><\/p>\nHow could banking trojans affect an organization?<\/h1>\n
Analysis<\/h1>\n
Context of the Porongona, Manipulated Caiman, and Botnet Fenix Threats<\/em><\/h1>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/FIGURA1-1.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/FIGURA2-1.jpg\")
<\/p>\n\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/FIGURA3-1.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/FIGURA4.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/figura5.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/FIGURA6.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/FIGURA7.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/figura8.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/figura9.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/figura10.jpg\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/tableen.jpg\")
<\/p>\nAttack flow summary<\/h1>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2023\/10\/diagramen.jpg\")
<\/p>\n