{"id":735,"date":"2024-10-02T17:24:17","date_gmt":"2024-10-02T17:24:17","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=735"},"modified":"2024-10-02T17:24:17","modified_gmt":"2024-10-02T17:24:17","slug":"new-banking-trojan-silver-oryx-blade-activity-observed-in-may-2024","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2024\/10\/02\/new-banking-trojan-silver-oryx-blade-activity-observed-in-may-2024\/","title":{"rendered":"New Banking trojan Silver Oryx Blade  Activity observed in August 2024"},"content":{"rendered":"<h2><strong>Overview<\/strong><\/h2>\n<p>This post aims to describe the TTPs and provide indicators of compromise related to a new banking trojan, which SCILabs named <em>Silver Oryx Blade<\/em>. Its main characteristics are the compromise of infrastructure, such as malware repositories, <a href=\"https:\/\/minecraft.fandom.com\/es\/wiki\/Servidor\">Minecraft<\/a> video game servers, and the combination of different programming languages \u200b\u200bduring the infection. SCILabs identified this threat in August 2024 through monitoring and threat hunting in LATAM.<\/p>\n<p>The main objective of <em>Silver Oryx Blade<\/em> is to steal banking information from Brazilian users by monitoring the banking sites that they access through their web browsers.<\/p>\n<p>This trojan&#8217;s distribution method is phishing emails, which use tax matters and supposed salary bonuses as pretexts. Those emails impersonate the Brazilian Ministry of Finance and the finance departments of organizations in that country.<\/p>\n<p>SCILabs has identified the use of libraries such as <a href=\"https:\/\/github.com\/dotnet\/WatsonTcp\">WatsonTCP<\/a> in <em>Silver Oryx Blade<\/em>, as well as the application of AES encryption in some chains (features that have also been utilized by the <a href=\"https:\/\/securelist.lat\/coyote-multi-stage-banking-trojan\/98404\/\"><em>Coyote<\/em><\/a> trojan). Furthermore, a domain used in the <em>Silver Oryx Blade<\/em> campaign was identified during the investigation, which is possibly related to a <em>Coyote<\/em> campaign. However, the differences in the TTPs and artifacts used in the infection chain are significant. Therefore, SCILabs has the hypothesis, with a medium level of confidence, that this new banking trojan is being distributed by the same malware operators.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_736\" aria-describedby=\"caption-attachment-736\" style=\"width: 270px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-736\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/Imagen1.png\" alt=\"\" width=\"270\" height=\"273\" \/><figcaption id=\"caption-attachment-736\" class=\"wp-caption-text\"><strong>Figure 1. Banking trojan Silver Oryx Blade<\/strong><\/figcaption><\/figure>\n<h2><strong>How could it affect an organization?<\/strong><\/h2>\n<p><em>Silver Oryx Blade<\/em> can steal banking information from all types of users, including employees of organizations. Additionally, it has command execution capabilities, and some artifacts used in the infection chain have a low detection rate in antivirus engines on the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/d358b01958b4e6091a0b6d290d1724aaf5d1b19b1a98d173a2faafd6c707771d\/relations\">VirusTotal<\/a> platform, increasing the likelihood of successful attacks. If an attack succeeds within an organization, cybercriminals could leak or sell the stolen information on clandestine Dark Web forums or the black market, jeopardizing the organization&#8217;s information&#8217;s confidentiality, integrity, and availability, resulting in financial and reputational <a name=\"_Toc80195000\"><\/a>losses.<\/p>\n<h2><strong>Analysis<\/strong><\/h2>\n<h2><strong>Threat Context<\/strong><\/h2>\n<p>In August 2024, SCILabs identified a malicious MSI file compressed in ZIP format through proactive threat monitoring in the region. Upon analysis, different TTPs from previously reported trojans by SCILabs were detected, like plain text payloads, which are undetectable by antivirus engines on the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/57178e5581d7beb1936722e8b5642120ecc1a129b00ae123ac5b89c13a8f604b\">VirusTotal<\/a> platform, along with other techniques described later.<\/p>\n<p>Through retro hunt techniques, SCILabs identified that this trojan&#8217;s distribution method is through phishing emails (targeting Brazilian users) which use pretexts such as alleged salary bonuses, <a href=\"https:\/\/www.adyen.com\/es_MX\/metodos-de-pago\/pix\">PIX transfers<\/a>, and fiscal notices, impersonating HR finance departments and the Ministry of Finance of Brazil.<\/p>\n<figure id=\"attachment_739\" aria-describedby=\"caption-attachment-739\" style=\"width: 440px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-739\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/Imagen2-1.png\" alt=\"\" width=\"440\" height=\"186\" \/><figcaption id=\"caption-attachment-739\" class=\"wp-caption-text\"><strong>Figure 2. Example of a phishing email using a salary bonus pretext<\/strong><\/figcaption><\/figure>\n<figure id=\"attachment_740\" aria-describedby=\"caption-attachment-740\" style=\"width: 572px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-740\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen3-1.png\" alt=\"\" width=\"572\" height=\"490\" \/><figcaption id=\"caption-attachment-740\" class=\"wp-caption-text\"><strong>Figure 3. Example of a phishing email using a fiscal notice pretext<\/strong><\/figcaption><\/figure>\n<figure id=\"attachment_741\" aria-describedby=\"caption-attachment-741\" style=\"width: 753px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-741 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen4.png\" alt=\"\" width=\"753\" height=\"625\" \/><figcaption id=\"caption-attachment-741\" class=\"wp-caption-text\"><strong>Figure 4. Example of a phishing email using a supposed PIX transfer<\/strong><\/figcaption><\/figure>\n<p>The threat actors behind this campaign use email <a href=\"https:\/\/www.cloudflare.com\/es-es\/learning\/email-security\/what-is-email-spoofing\">spoofing<\/a> to send malicious emails, impersonating the senders. During the analysis of one such email, the domain <strong>milkdavaca[.]com<\/strong> was identified and tagged by a <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/milkdavaca.com\/community\">user<\/a> on the VirusTotal platform as part of the <em>Coyote<\/em> trojan\u2019s infrastructure due to its use of the same SSL certificate and registrant. So far, the domain is still protected by the Withheld for <a href=\"https:\/\/withheldforprivacy.com\">Privacy<\/a><a href=\"#_ftn3\" name=\"_ftnref3\">[3]<\/a> service. This finding suggests that the operators of <em>Coyote<\/em> and <em>Silver Oryx Blade<\/em> might be the same.<\/p>\n<p>Most emails contain embedded URLs that redirect victims to sites that automatically download ZIP files. These ZIP files contain MSI droppers with names that simulate legitimate documents, such as PDFs (e.g. pdf.mes168.msi), office files (e.g. Ofic.01194.msi), or company names with a presence in Brazil, like VISU (e.g. visu.96178215.msi). The variety of these artifact names indicates that, in addition to the pretexts and impersonated institutions, the operators adapt the lures to the sociocultural context of the target country, in this case, Brazil \u2014 a common tactic in Latin American banking trojans.<\/p>\n<p>During the investigation, SCILabs discovered that the operators of this malware use link shorteners like bit[.]ly and file storage platforms like ufile[.]io, as well as compromised sites like a <a href=\"https:\/\/www.virustotal.com\/gui\/file\/610588106ae1a4529d1caf69d8b4ff61d0ab6a6f4e44caf51ad0ff46db3d4e55\/relations\">Minecraft game server<\/a>, which was used around May 2024 to distribute the malware.<\/p>\n<figure id=\"attachment_742\" aria-describedby=\"caption-attachment-742\" style=\"width: 888px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-742\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen5.png\" alt=\"\" width=\"888\" height=\"310\" \/><figcaption id=\"caption-attachment-742\" class=\"wp-caption-text\"><strong>Figure 5. Use of ufile[.]io to distribute Silver Oryx Blade<\/strong><\/figcaption><\/figure>\n<figure id=\"attachment_743\" aria-describedby=\"caption-attachment-743\" style=\"width: 869px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-743\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen6.png\" alt=\"\" width=\"869\" height=\"298\" \/><figcaption id=\"caption-attachment-743\" class=\"wp-caption-text\"><strong>Figure 6. Minecraft server appearance used to distribute Silver Oryx Blade around May 2024<\/strong><\/figcaption><\/figure>\n<p style=\"text-align: center;\"><span style=\"color: #3366ff;\">\u00a0<\/span><\/p>\n<p>It is essential to highlight that SCILabs identified some overlaps with the <em>Coyote<\/em> banking trojan. These include general features like using specific libraries like WatsonTCP and <a href=\"https:\/\/keepcoding.io\/blog\/que-es-el-algoritmo-aes\/\">AES-encrypted<\/a> strings; however, the infection chain (detailed below) and the trojan show substantial differences compared to the <em>Coyote<\/em> campaigns previously reported by SCILabs, and investigations published in <a href=\"https:\/\/thehackernews.com\/2024\/02\/new-coyote-trojan-targets-61-brazilian.html\">open sources.<\/a><\/p>\n<h2><strong>Technical Summary<\/strong><\/h2>\n<p>The file downloaded from the phishing email&#8217;s embedded URLs is an MSI file with various names, such as &#8220;<strong>pdf.mes168.msi<\/strong>,&#8221; &#8220;<strong>visu.96178215.msi<\/strong>&#8220;, or &#8220;<strong>Ofic.01194.msi<\/strong>,&#8221; among others. These files correspond to the first dropper of <em>Silver Oryx Blade<\/em>.<\/p>\n<figure id=\"attachment_744\" aria-describedby=\"caption-attachment-744\" style=\"width: 537px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-744\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen7.png\" alt=\"\" width=\"537\" height=\"176\" \/><figcaption id=\"caption-attachment-744\" class=\"wp-caption-text\"><strong>Figure 7. First MSI dropper<\/strong><\/figcaption><\/figure>\n<p>The MSI file contains the following artifacts:<\/p>\n<figure id=\"attachment_745\" aria-describedby=\"caption-attachment-745\" style=\"width: 559px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-745\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/Imagen8.png\" alt=\"\" width=\"559\" height=\"111\" \/><figcaption id=\"caption-attachment-745\" class=\"wp-caption-text\"><strong>Figure 8. Contents of the first dropper<\/strong><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Switchable_attitudeoriented_process_improvement.dll<\/strong>: This is a <a href=\"https:\/\/www.trendmicro.com\/vinfo\/mx\/security\/definition\/portable-executable-pe\">64-bit PE<\/a> file developed with C# .NET, which acts as a second dropper and aims to deploy the next and final stage of infection. This file performs the following actions:\n<ul>\n<li>It generates a %PUBLIC% directory with a pseudo-random alphabetic string name of &#8220;n&#8221; characters in <a href=\"https:\/\/keepcoding.io\/blog\/camelcase-que-es-como-funciona-y-beneficios\/\">CamelCase<\/a> format based on a <a href=\"https:\/\/learn.microsoft.com\/es-es\/dotnet\/api\/system.guid?view=net-8.0\">GUID<\/a>, such as &#8220;<strong>Bebfeeebfaea<\/strong>&#8221; or &#8220;<strong>Cewhcqvcwqqzjrvlzca<\/strong>.&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>It reads the file &#8220;<strong>a98090f0634<\/strong>,&#8221; which is also included within the MSI and processes its contents. Then, it decodes all base64-encoded files found inside and writes them to the previously created directory. These files represent the final stage of the infection chain.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_746\" aria-describedby=\"caption-attachment-746\" style=\"width: 572px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-746\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen9.png\" alt=\"\" width=\"572\" height=\"427\" \/><figcaption id=\"caption-attachment-746\" class=\"wp-caption-text\"><strong>Figure 9. Second dropper of Silver Oryx Blade<\/strong><\/figcaption><\/figure>\n<ul>\n<li><strong>a98090f0634<\/strong>: This is the <a href=\"https:\/\/developer.mozilla.org\/es\/docs\/Glossary\/Base64\">base64-encoded<\/a> payload processed by the dropper above. It contains the files that correspond to the final stage of infection, described below.<\/li>\n<\/ul>\n<p>Once the victim executes the MSI file, the actions to install the final stage of the infection chain in the %PUBLIC%\/[pseudo-random alphabetic string of &#8220;n&#8221; characters] directory begin. The following files are installed:<\/p>\n<ul>\n<li><strong>EACefSubProcess\u00aa.exe<\/strong>: A legitimate executable from the videogame company Electronic Arts used to load the trojan into memory via <a href=\"https:\/\/www.emsisoft.com\/en\/blog\/43943\/what-is-dll-side-loading\/\">DLL Side-Loading<\/a>.<\/li>\n<li><strong>libcef.dll<\/strong>: A loader developed in C++ used to load the <em>Silver Oryx Blade<\/em> trojan into memory.<\/li>\n<li><strong>chrome_elf.dll<\/strong>: A legitimate Chromium library likely used by the trojan due to its use of the <a href=\"https:\/\/github.com\/chromiumembedded\">Chromium Embedded Framework (CEF)<\/a>, possibly allowing traffic redirection from the browser to the attacker&#8217;s C2 and capturing login information from websites visited by the victim.<\/li>\n<li><strong>MqSFsKgLSw1GKqGcD5bP.txt<\/strong>: The <a href=\"https:\/\/www.pandasecurity.com\/es\/mediacenter\/cifrado-aes-guia\/\">AES-encrypted<\/a><em>Silver Oryx Blade<\/em> payload, loaded into memory by the <strong>libcef.dll<\/strong> loader.<\/li>\n<li><strong>msvcp140.dll and msvcp140d.dll<\/strong>: Legitimate <a href=\"https:\/\/learn.microsoft.com\/en-us\/cpp\/c-runtime-library\/c-run-time-library-reference?view=msvc-170\">Microsoft C Runtime Library<\/a> files used for string handling, mathematical operations, and file input\/output in C++ applications, as in the case of this trojan.<\/li>\n<li><strong>vcruntime140.dll and vcruntime140_1.dll<\/strong> are also legitimate Microsoft libraries responsible for executing C++ code and handling exceptions and resources, such as global variable initialization and runtime exception management.<\/li>\n<\/ul>\n<p>An important point to highlight is the inclusion of legitimate libraries msvcp140d.dll and vcruntime140_1.dll, which correspond to the debug versions of the Microsoft C Runtime Library. This could indicate that the malware operators are still testing the trojan.<\/p>\n<p>Once <em>Silver Oryx Blade<\/em> is installed, the second dropper executes <strong>EACefSubProcess\u00aa.exe<\/strong>, which uses the DLL Side-Loading technique to execute the libcef.dll loader, which then injects the AES-encrypted payload stored in the <strong>MqSFsKgLSw1GKqGcD5bP.txt<\/strong> file into memory.<\/p>\n<figure id=\"attachment_748\" aria-describedby=\"caption-attachment-748\" style=\"width: 1786px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-748 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen10-1.png\" alt=\"\" width=\"1786\" height=\"69\" \/><figcaption id=\"caption-attachment-748\" class=\"wp-caption-text\"><strong>Figure 10. Reading of the payload performed by the loader<\/strong><\/figcaption><\/figure>\n<p>After its execution, the trojan achieves persistence by creating a shortcut in the startup directory: %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EACefSubProcess\u00aa.lnk.<\/p>\n<p>Finally, <em>Silver Oryx Blade<\/em> attempts to communicate with one of its configured command-and-control (C2) servers by connecting via a socket using the WatsonTCP library. Subsequently, the trojan begins monitoring banking windows of interest in Brazil to steal information.<\/p>\n<figure id=\"attachment_749\" aria-describedby=\"caption-attachment-749\" style=\"width: 485px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-749\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen11.png\" alt=\"\" width=\"485\" height=\"328\" \/><figcaption id=\"caption-attachment-749\" class=\"wp-caption-text\"><strong>Figure 11. Strings identified in memory related to the monitoring of Brazilian banking institutions during dynamic analysis<\/strong><\/figcaption><\/figure>\n<p>Among the banking institutions of interest to <em>Silver Oryx Blade<\/em> identified during the analysis are approximately 50 entities, including institutions like Mercado Pago and Binance.<\/p>\n<figure id=\"attachment_758\" aria-describedby=\"caption-attachment-758\" style=\"width: 1189px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-758 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/table1.png\" alt=\"\" width=\"1189\" height=\"700\" \/><figcaption id=\"caption-attachment-758\" class=\"wp-caption-text\"><strong>Table 1. Banking websites of interest for Silver Oryx Blade<\/strong><\/figcaption><\/figure>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p>It is essential to mention that during the analysis, the <a href=\"https:\/\/www.newtonsoft.com\/json\">Newtonsoft<\/a> Json.NET Framework was identified as manipulating data transmitted to the C2. This is possible because the trojan operators used <a href=\"https:\/\/github.com\/Fody\/Costura\">Fody Costura<\/a> to embed .NET resources.<a href=\"#_ftnref1\" name=\"_ftn1\"><br \/>\n<\/a><\/p>\n<p>The infection Chain of <em>Silver Oryx Blade<\/em>:<a href=\"#_ftnref1\" name=\"_ftn1\"><br \/>\n<\/a><\/p>\n<ul>\n<li>Execution of the MSI file<\/li>\n<li>msiexec.exe<\/li>\n<li>EACefSubProcess\u00aa.exe<\/li>\n<\/ul>\n<p><strong>Key Differences Between <em>Silver Oryx Blade <\/em>and <em>Coyote<\/em><\/strong><\/p>\n<p>Below are the main distinguishing features of <em>Silver Oryx Blade<\/em>, compared to previously observed <em>Coyote<\/em> trojan campaigns in the region. This analysis aims to provide greater clarity in identifying this new threat for future research. Since SCILabs has observed some overlaps between the two trojans, it is important to highlight these similarities, as they allow us to hypothesize, with a medium level of confidence, that the operators of <em>Silver Oryx Blade<\/em> could be the same as those of <em>Coyote<\/em>.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Although <em>Silver Oryx Blade<\/em> uses WatsonTCP for communication with the C2 and AES encryption for strings, <em>Coyote<\/em> embeds these strings directly in its artifacts. Additionally, the new trojan stores its payloads in text files, sometimes using base64 encoding.<\/li>\n<li>Both, <em>Coyote<\/em> and <em>Silver Oryx Blade,<\/em> use artifacts developed in .NET and C++. However, <em>Coyote<\/em> also uses <a href=\"https:\/\/es.quora.com\/Qu%C3%A9-ventajas-existen-al-utilizar-el-lenguaje-de-programaci%C3%B3n-nim\">NIM<\/a> and a wider array of tools, such as<a href=\"https:\/\/github.com\/Squirrel\/Squirrel.Windows\"> Squirrel<\/a> and <a href=\"https:\/\/learn.microsoft.com\/es-es\/nuget\/\">NuGet<\/a>, with artifacts exceeding 100MB in some campaigns.<\/li>\n<li>Some DLL names used by both trojans coincide in specific campaigns, such as libcef.dll and chrome_elf.dll. However, <em>Coyote<\/em> uses a legitimate libcef.dll to load a<a href=\"https:\/\/blogs-blackberry-com.translate.goog\/en\/2024\/07\/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions\"> malicious<\/a>dll via DLL Side-Loading. In contrast<em>, Silver Oryx Blade<\/em> uses a malicious libcef.dll as a loader and a legitimate chrome_elf.dll.<\/li>\n<li>Antivirus solutions on VirusTotal detect <em>Silver Oryx Blade<\/em> and its entire infection chain, mostly as generic trojans. This contrasts with Coyote campaigns, which are specifically labeled by name by most antivirus engines.<\/li>\n<li>As mentioned in the &#8220;Threat Context&#8221; section, a <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/milkdavaca.com\/community\">VirusTotal<\/a> user identified that a domain used in one of <em>Silver Oryx Blade&#8217;s<\/em> campaigns is related to <em>Coyote&#8217;s<\/em> infrastructure because it uses the same SSL certificate and registrant.<\/li>\n<li>Furthermore, it was observed that during the new trojan campaigns that have been active since at least April 2024, <em>Coyote<\/em> campaigns were also being carried out, which continue to be detected recently.<\/li>\n<\/ul>\n<p>In conclusion, although both trojans present significant differences in their artifacts and TTPs, key similarities exist, such as encryption, shared libraries, and the possible coincidence of the registrant and SSL certificate in the C2 infrastructure. These similarities allow us to hypothesize that the same threat actors operate in both trojans.<\/p>\n<p>A summary of the general differences between<em> Silver Oryx Blade<\/em> and <em>Coyote<\/em> can be seen in the table below.<\/p>\n<figure id=\"attachment_759\" aria-describedby=\"caption-attachment-759\" style=\"width: 1165px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-759 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/table2.png\" alt=\"\" width=\"1165\" height=\"568\" \/><figcaption id=\"caption-attachment-759\" class=\"wp-caption-text\"><strong>Table 2. General differences between Silver Orix Blade and Coyote<\/strong><\/figcaption><\/figure>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<h1>Attack Flow Summary<\/h1>\n<ul>\n<li>The victim receives a phishing email impersonating HR finance department, and the Brazilian Ministry of Finance, using salary bonuses, PIX transfers, and fiscal notices as lures.<\/li>\n<li>The email contains a URL that redirects the victim to a site that automatically downloads a ZIP file containing the trojan&#8217;s first MSI dropper.<\/li>\n<li>When executing the MSI file, the infection chain begins.<\/li>\n<li>The MSI, which includes an embedded .NET DLL and a base64-encoded payload, extracts the necessary artifacts to install the trojan.<\/li>\n<li>The trojan creates a directory in %PUBLIC% with a pseudo-random CamelCase name based on a GUID (e.g., &#8220;Bebfeeebfaea&#8221; or &#8220;Cewhcqvcwqqzjrvlzca&#8221;). In this directory, a vulnerable executable is deployed for DLL Side-Loading, which loads the trojan into memory, along with a C++ loader, AES-encrypted payload, and legitimate Microsoft DLLs used during execution.<\/li>\n<li>To maintain persistence, the trojan creates a shortcut in %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup.<\/li>\n<li>If available, the trojan communicates with one of its configured command and control (C2) servers.<\/li>\n<li>Once the victim accesses banking sites of interest to the malware, the trojan begins stealing information, such as usernames and passwords, which are sent to the attacker&#8217;s C2 server.<\/li>\n<\/ul>\n<h1><span style=\"font-size: 12.0pt; line-height: 115%;\">Attack Flow Diagram<\/span><\/h1>\n<figure id=\"attachment_777\" aria-describedby=\"caption-attachment-777\" style=\"width: 1252px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-777 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/DF.png\" alt=\"\" width=\"1252\" height=\"1022\" \/><figcaption id=\"caption-attachment-777\" class=\"wp-caption-text\"><strong>Figure 13. Diagram of the attack Flow observed in the current Silver Oryx Blade campaign<\/strong><\/figcaption><\/figure>\n<h1><strong>Observed TTPs aligned to the MITRE ATT&amp;CK framework<\/strong><\/h1>\n<figure id=\"attachment_754\" aria-describedby=\"caption-attachment-754\" style=\"width: 1132px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-754 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/09\/imagen13-1.png\" alt=\"\" width=\"1132\" height=\"666\" \/><figcaption id=\"caption-attachment-754\" class=\"wp-caption-text\"><strong>Table 3. Observed TTPs aligned with the MITRE ATT&amp;CK framework<\/strong><\/figcaption><\/figure>\n<h1>Conclusion<\/h1>\n<p>SCILabs considers <em>Silver Oryx Blade<\/em> to be a significant threat in the region due to its techniques for distributing its payloads in text files, which can evade detection systems. Furthermore, it could expand its activity to other Latin American countries in the future, such as Mexico. On the other hand, other trojans like <em>Grandoreiro<\/em>, <em>Mekotio<\/em>, and <em>Red Mongoose Daemon <\/em>may adopt some of the TTPs mentioned in this report. SCILabs considers that the operators of this trojan and <em>Coyote<\/em> will continue to modify their artifacts and attack flow to ensure a higher success rate in their attacks.<\/p>\n<p>Institutions and companies must remain aware of TTPs updates and indicators of compromise to minimize the risk of infection, and the impact banking information theft could have on organizations. The following specific recommendations are suggested to prevent being affected by <em>Silver Oryx Blade<\/em>:<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Specific Recommendations Against <em>Silver Oryx Blade<\/em><\/strong><\/p>\n<ul>\n<li>Add the shared IoCs to this document for security solutions.<\/li>\n<li>Regarding emails:\n<ul>\n<li>Avoid opening emails from unknown senders<\/li>\n<li>Avoid clicking on suspicious links<\/li>\n<li>Avoid opening or downloading suspicious files<\/li>\n<\/ul>\n<\/li>\n<li>Conduct threat-hunting activities on EndPoints, looking for suspicious processes and unauthorized startup folder shortcuts.<\/li>\n<li>Check for suspicious directories in %PUBLIC% with a pseudo-random CamelCase name and perform in-depth investigations to rule out or confirm a <em>Silver Oryx Blade.<br \/>\n<\/em><\/li>\n<li>Check for suspicious shortcuts in %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ and perform an in-depth investigation to confirm or rule out an infection.<\/li>\n<li>Perform threat-hunting activities on your EndPoints, looking for text files larger than 1 MB with AES or base64 encrypted strings within the paths used by <em>Silver Oryx Blade<\/em> in %PUBLIC%. Then, further investigation will be conducted to rule out or confirm a banking trojan infection.<\/li>\n<\/ul>\n<h1>Indicators of compromise<\/h1>\n<p>Below are the indicators of compromise obtained from the analysis performed by SCILabs, with a <strong>HIGH<\/strong> level confidence.<\/p>\n<h3><strong>Hashes SHA256<\/strong><\/h3>\n<p>FF756F33ED59E6623D6C6D6F08147F9537D57E3B9794975A462DC18A75165EB2<\/p>\n<p>DBAEB3BBF3F194B4ED43BBA67177F4DFA79D5957504CCC638CCD3B9244261BF9<\/p>\n<p>57178E5581D7BEB1936722E8B5642120ECC1A129B00AE123AC5B89C13A8F604B<\/p>\n<p>36577DFC9D3266124993D9C4D104B533657D84D29E8FC8D7D4F9D9896747CC0E<\/p>\n<p>4E9D19A0AC036B4542119A642BD18EF5D6ED6272043D598A630B8501B235B2F2<\/p>\n<p>77C552981A57576C12EB0E0BF186424925C70F13AFB5D93D20D28D4DF5FE1A89<\/p>\n<p>83C73A2E1D118C2B7B8C634D705E99E583F54D13F22123A03B235C4A8A9C2DD2<\/p>\n<p>5CB49673F81DD79F3FC2688B2A7B5F8EDB6D02F21F1461A3ADB5CE4CE4CB08D0<\/p>\n<p>A3DA2089155C3275AD02A0DFF65E4A717E8376FA1DDBFEA4537C4C0DCA7FAA15<\/p>\n<p>D358B01958B4E6091A0B6D290D1724AAF5D1B19B1A98D173A2FAAFD6C707771D<\/p>\n<p>DFFEE58979C13FCB39D6666854C4FDBCA3959DDD68A2560832B76E4C15DCE6D6<\/p>\n<h3><strong>URLs<\/strong><\/h3>\n<p>Full URL blocking is recommended to avoid future false positives or interruptions in the operation.<\/p>\n<p>hxxps:\/\/portaldriverdownloads[.]com\/alnnov2\/3039a97419926c5ad50405bc16de7315<\/p>\n<p>hxxps:\/\/redetop.com.br\/pipermail\/cn.supply_redetop.com.br\/2024-May\/029485.html<\/p>\n<p>hxxp:\/\/bit.ly\/3dU5poL<\/p>\n<p>hxxps:\/\/ufile[.]io\/emzdy9p5<\/p>\n<p>bydeletrico[.]com<\/p>\n<p>perpetualosten[.]com<\/p>\n<p>belensysten[.]com<\/p>\n<p>skydewiller[.]com<\/p>\n<p>blendcyte[.]com<\/p>\n<p>submarineclock[.]com<\/p>\n<p>syetemcuevo[.]com<\/p>\n<p>paginagogo[.]com<\/p>\n<p>foursiason[.]com<\/p>\n<h1><strong>Observables<\/strong><\/h1>\n<p>The following indicators do not indicate malicious behavior by themselves. However, they are used during the infection chain. In case of detection, alerts, and threat-hunting processes are recommended to confirm or rule out infection by <em>Silver Oryx Blade<\/em>.<\/p>\n<h3><strong>Valores Hash SHA-256<\/strong><\/h3>\n<p>A6EB323A5E732691B2E7E6907E16E23214AC6EFDBA77BCC23037B81AB8BC3055<\/p>\n<p>A030DC2DFD2ECA28A9375C92989ADF4DAF161F988DB5E16B9E10678EB0DFF4C7<\/p>\n<p>E6B7D94725DC1603E121614AE88C1E3672776712A7C419A8F7F0295334266A09<\/p>\n<p>F843CD00D9AFF9A902DD7C98D6137639A10BD84904D81A085C28A3B29F8223C1<\/p>\n<p>E4E85EEA1106D361923995E53A0B961A28D4FB58555F40945003F35E5BF2C273<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview This post aims to describe the TTPs and provide indicators of compromise related to a new banking trojan, which<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-735","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=735"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/735\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}