![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/RMD.png\")
<\/h1>\n<\/h1>\nRed Mongoose Daemon: a new banking trojan<\/em><\/strong><\/p>\n The purpose of this document is to describe TTPs and provide indicators of compromise related to a new banking trojan that SCILabs identified during May through a threat monitoring and hunting in LATAM and named Red Mongoose Daemon.<\/em><\/p>\n The main objective of Red Mongoose Daemon<\/em> is to steal victims’ banking information by spoofing PIX<\/a> transactions through overlapping windows. This trojan is aimed at Brazilian end users and employees of organizations with banking information.<\/p>\n SCILabs was unable to identify the distribution method of this threat, however, based on its experience and the name of the files used in the identified campaign, such as \u201cApelacao_Processo-NNYN.msi<\/strong>\u201d, \u201cProcesso-judicial.B9WU<\/strong>\u201d, and \u201cPedido_Faturado. -WJVUC<\/strong>\u201d, to mention a few, it is likely that the distribution method is through malicious emails using invoices and legal issues as pretexts, just like it is common in the activity of banking trojans in LATAM such as Grandoreiro<\/em> and URSA\/Mispadu<\/em>.<\/p>\n Red Mongoose Daemon <\/em>can steal banking information from all types of users, including organization employees. Additionally, it has command execution capabilities, as well as advanced anti-analysis and persistence methods that will be described later, which increase the possibility of successful attacks. If an attack is successful within an organization, cybercriminals can leak or sell the stolen information in clandestine Dark Web forums or on the black market, putting at risk the confidentiality, integrity, and availability of the information, leading to financial and reputation losses.<\/p>\n During May, through a threat monitoring in the region, SCILabs identified a malicious file compressed in ZIP format. Upon conducting the analysis, TTPs different from those of other trojans discovered and reported by SCILabs were identified, such as the use of the legitimate tool Daemon Tools<\/a>, and the creation and pseudo-random modification of directories for their persistence; that is how it was given the name of Red Mongoose Daemon<\/em>.<\/p>\n SCILabs was unable to identify the distribution method for this campaign. However, \u00a0being common in banking trojan campaigns in LATAM, phishing emails are likely to be used under the guise of supposed invoices, legal matters, and tax notes. These emails mostly contain embedded URLs that redirect the victim to sites for automatic downloading of ZIP-type files, which contain MSI files named after the pretext used, for example, \u201cApelacao_Processo-NNYN.msi<\/strong>.\u201d<\/p>\n Because the names of the artifacts found were written in Portuguese and it is the Brazilian payment system PIX which the trojan attempts to impersonate, with a high confidence level, SCILabs determined that this campaign is aimed at Brazilian users.<\/p>\n During the investigation, SCILabs identified some overlaps with the Javali\/Ousaban<\/em> banking trojan, which are have general characteristics such as the appearance of some C2 Endpoints (shown below in Figure 1) and capabilities such as the manipulation of windows of the operating system (this technique is used by the majority of LATAM banking trojans); however, the infection chain, which will be detailed later, and the DLL of the trojan, in comparison with Javali\/Ousaban<\/em> campaigns.<\/p>\n Based on the above, SCILabs has the hypothesis that the threat actors behind Red Mongoose Daemon <\/em>are also the operators of Javali\/Ousaban<\/em> and will continue monitoring them.<\/p>\n Figure 1. (1 – Top) Template used by Javali\/Ousaban<\/em> operators to query infected machines, (2 – Bottom) Template used by Red Mongoose Daemon<\/em> operators with the same objective<\/p>\n The identified MSI file is named \u201cApelacao_Processo-NNYN.msi<\/strong>\u201d and corresponds to the first Red Mongoose Daemon <\/em>dropper. The infection chain begins if the victim executes it.<\/p>\n Figure 2. First Dropper<\/p>\n <\/p>\n The MSI file contains the following artifacts:<\/p>\n <\/p>\n <\/p>\n <\/p>\n Once the victim executes the MSI file, the trojan is installed in the %APPDATA%\/[directory with the pseudo-random name]<\/strong>. According to the analysis, the name of the installation directory may correspond to some legitimate applications such as \u201cDev-Cpp<\/strong>,\u201d \u201cWireshark<\/strong>,\u201d \u201cSoftplicity<\/strong>,\u201d and \u201cNotepad++<\/strong>,\u201d and sometimes, simply random letters such as \u201cCDTPL<\/strong>.\u201d<\/p>\n In that same sense, the name of the DAEMON Tools executable is also assigned in a pseudo-random manner, placing names such as \u201crecent_common<\/strong>,\u201d \u201ccache<\/strong>,\u201d \u201crecent<\/strong>,\u201d \u201cTemp<\/strong>,\u201d or bck<execution date><\/strong>, to mention a few. In the following figures (4, 5, and 6), there are different directories as examples where the executables (red icon) and the DLLs of the trojan are installed, which are sometimes renamed with the \u201c.jwt\u201d. If there is a legitimate installation of the applications mentioned above, the trojan does not modify its directories or files; it places the loader and the malicious Red Mongoose Daemon<\/em> DLL.<\/p>\n In the following images, in addition to the trojan, there are other types of files with \u201c.ini,\u201d \u201c.xml,\u201d or \u201c.cfg\u201d extensions, which correspond to legitimate installations of the applications mentioned above and which have no relation to the chain of infection.<\/p>\n Figure 4. Example of execution in Dev-Cpp directory<\/p>\n Figure 5. Example of running in Wireshark directory<\/p>\n Figure 6. Example of execution in Notepad++ directory<\/p>\n Red Mongoose Daemon <\/em>generates persistence using scheduled tasks that run every 5 minutes and a shortcut in the Windows home directory. It is important to mention that, with each computer restart, the trojan is reinstalled in a different directory.<\/p>\n Figure 7. Persistence through scheduled tasks<\/p>\n As soon as the process starts, the malicious DLL and the legitimate executable change their name and extension to a name like <12 random numbers>.jwt<\/strong>.<\/p>\n Figure 8. trojan execution<\/p>\n Figure 9. Files renamed by the trojan<\/p>\n Subsequently, it sets the registry key HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP\\PROXYBYPASS with a value of 1 to try to evade security mechanisms and communicate freely with external servers, which is a common tactic to maintain persistence and control over the infected system.<\/p>\n Red Mongoose Daemon<\/em> performs a query with its C2 through the URL hxxps[:]\/\/rdcontra.com\/clientes\/index.php<\/strong>, where it saves the victim’s data such as IP, date of infection, device name, user, and country of origin. It is essential to mention that, if anybody tries to access it from the Internet (port 80 or 8080), a redirection is made to the URL hxxps[:]\/\/i.pinimg.com\/236x\/5b\/f8\/1a\/5bf81a501ab9d26db806e7fec4edfa75.jpg that corresponds to an image not used during the infection chain and can only be viewed from a web interface.<\/p>\n Figure 10. Redirection URL<\/p>\n The process chain created by this threat is:<\/p>\n An important point to note is that the trojan needs the \u201ck7\u201d parameter to run successfully.<\/p>\n If the user enters a site that allows the PIX payment method of the Central Bank of Brazil, the trojan performs the window overlay technique to steal the victims’ information.<\/p>\n Figure 11. Window used by the trojan that tries to impersonate a PIX transaction<\/p>\n Finally, SCILabs identified that Red Mongoose Daemon<\/em> has capabilities for manipulating and creating windows, executing commands, controlling the computer remotely, manipulating web browsers, hijacking clipboards, and impersonating Bitcoin wallets by replacing copied wallets with the ones used by cybercriminals, such as the following: 1Jp4A7NEwhk2uNPnZbewN9QfCdoXFRL9Xp<\/strong>. So far, no transactions have been identified using that wallet.<\/p>\n Figure 12. Attackers’ Bitcoin wallet balance<\/p>\n During the analysis, some common characteristics were identified in trojans that affect LATAM, such as Mekotio, Javali\/Ousaban<\/em>, and Grandoreiro<\/em>. Some of them are the ability to manipulate the browser and the generation of Windows operating system\u2019s windows.<\/p>\n While no windows associated with other banks were detected, the presence of these characteristics suggests that the trojan might also target other Brazilian banks.<\/p>\n In addition, during the dynamic analysis, it was identified that the trojan monitors the access to domains such as Outlook, Hotmail, and OneDrive, among others, so it is possible that it also aims to steal credentials.<\/p>\n Red Mongoose Daemon\u2019s <\/em><\/strong>notable characteristics<\/strong><\/p>\n Below, some distinctive characteristics of Red Mongoose Daemon<\/em> are mentioned and compared with Javali\/Ousaban trojan<\/em> campaigns previously observed in the region, aiming to provide clarity in the identification of this new threat for future investigations, given that SCILabs identified some overlaps like as the appearance of some C2 Endpoints with Javali\/Ousaban<\/em>, mentioned in the \u201cThreat Context\u201d section of this document.<\/p>\n <\/p>\n <\/p>\n <\/p>\n As can be seen in the following list, which shows some of the trojan’s capabilities through the analysis of the classes implemented in its source code, this trojan has the capabilities of most Latin American banking trojans, such as window spoofing and browser manipulation, except for the PIX transaction spoofing not previously observed by SCILabs.<\/p>\n The following table summarizes the general differences between Javal\u00ed\/Ousaban<\/em> and Red Mongoose Daemon<\/em>.<\/p>\n \u00a0<\/strong><\/p>\n<\/td>\nOverview<\/h1>\n
How could Red Mongoose Daemon impact organizations?<\/h1>\n
Analysis<\/h1>\n
Threat Context<\/h2>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/1.png\")
<\/p>\nTechnical summary<\/h2>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/2.png\")
<\/p>\n\n
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/3.png\")
Figure 3. Compressed content of the first dropper<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/4.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/5.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/6.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/7.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/8.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/9-1.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/10.png\")
<\/p>\n\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/11.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/12.png\")
<\/p>\n\n
\n
\n
\n
\n
\n\n
\n \n Javal\u00ed\/Ousaban<\/em><\/td>\n Red Mongoose Daemon<\/em><\/td>\n<\/tr>\n \n DLL architecture<\/strong><\/td>\n X32<\/td>\n X64<\/td>\n<\/tr>\n \n Programming Language<\/strong><\/td>\n Borland\/Embarcadero Delphi <= 10<\/td>\n Delphi 11<\/td>\n<\/tr>\n \n Linker<\/strong><\/td>\n Turbo Linker 2.5<\/td>\n Turbo Linker 8 y MSLinker 8<\/td>\n<\/tr>\n \n Packer<\/strong><\/td>\n VMProtect, Themida y ENIGMA<\/td>\n –<\/td>\n<\/tr>\n \n Label assigned by most antivirus solutions on VirusTotal<\/strong><\/td>\n Ousaban<\/em><\/td>\n Generic trojan<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/13.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/06\/mitre.png\")
<\/p>\n