{"id":800,"date":"2024-11-13T15:07:32","date_gmt":"2024-11-13T15:07:32","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=800"},"modified":"2024-11-13T15:07:32","modified_gmt":"2024-11-13T15:07:32","slug":"new-silver-shifting-yak-banking-trojan","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2024\/11\/13\/new-silver-shifting-yak-banking-trojan\/","title":{"rendered":"New Silver Shifting Yak Banking Trojan"},"content":{"rendered":"

Overview<\/h2>\n

The objective of this report is to describe the tactics, techniques, and procedures (TTPs) and provide indicators of compromise associated with a new banking trojan, identified by SCILabs as Silver Shifting Yak<\/em>. Key characteristics of this Trojan include the dynamic alteration of URLs for its C2 server and the use of varying domain names throughout the infection chain. SCILabs identified this threat in October 2024 by monitoring and threat hunting in Latin America.<\/p>\n

The main objective of Silver Shifting Yak<\/em> is to steal information from financial institutions such as Banco Ita\u00fa, Banco do Brasil, Banco Bandresco, Foxbit, and Mercado Pago Brasil, among others, as well as credentials used to access Microsoft portals such as Outlook, Azure, and Xbox, by monitoring the sites that the victims access through their web browser.<\/p>\n

Although SCILabs was unable to identify the Trojan’s distribution method, based on its experience with other threats in the region and the <2 letters-4 numbers-3 letters>.zip<\/strong> filename pattern identified (similar to the random digital document format used by other threats) it is likely to be distributed via malicious emails, using alleged invoices and digital documents as a pretext. This method is common in banking trojan-activity in Latin America, such as Grandoreiro<\/em>, URSA\/Mispadu<\/em><\/a>, and Silver Oryx Blade<\/em><\/a>, also discovered by SCILabs in August 2024.<\/p>\n

It is important to note that, as of the time of writing this report, several artifacts identified during the investigation and used in the Silver Shifting Yak<\/em> infection chain have a low detection rate across antivirus solutions, according to the VirusTotal<\/a> platform<\/a>. This increases the risk of compromise for employees of various organizations, making it essential for companies to remain vigilant against this threat.<\/p>\n

\"\"
Figure 1. Silver Shifting Yak Banking trojan<\/strong><\/figcaption><\/figure>\n

How could it affect an organization?<\/strong><\/h2>\n

Silver Shifting Yak <\/em>can steal information from financial institutions and Microsoft platforms from all types of users, including organization employees. If an attack is successful within an organization, cybercriminals can leak or sell the stolen information on underground forums of the Dark Web or in black markets. This puts the confidentiality, integrity, and availability of their information at risk and can result in reputational damage.<\/p>\n

Analysis<\/h2>\n

Threat Context<\/h2>\n

In October 2024, SCILabs identified the URL hxxps[:]\/\/nvidrive[.]com\/download\/b12aa4d64c6edf95dad972b211b79a64, <\/strong>which, when visited, initiates the download of a ZIP file with <2 letters-4 numbers-3 letters>.zip<\/strong> filename pattern, using the HTML Smuggling<\/a> technique.<\/strong><\/p>\n

The template displayed upon visiting the URL presents a message in Brazilian Portuguese, notifying the user that the download is being prepared and will begin in 5 seconds. From this point on, all messages displayed by the website are shown in Portuguese, indicating that the campaign targets users in Brazil.<\/p>\n

\"\"
Figure 2. Template used on the malware download site<\/strong><\/figcaption><\/figure>\n

Once the counter has ended, the page displays a second message indicating that the download has been completed, and displays the WinRAR <\/a> icon image and the file name.<\/p>\n

\"\"<\/a>
Figure 3. Second message displayed on the page used to distribute malware<\/strong><\/figcaption><\/figure>\n

The domain includes several pages displaying messages like \u201cpage not found\u201d or \u201cunauthorized access,\u201d and hyperlinks prompting the user to return to the homepage, which redirects to the Google search engine. Additionally, some messages indicate that \u201clogs\u201d have been added or that the \u201ccounter\u201d parameter is missing, suggesting that the attackers keep track of all the computers visiting the site and downloading the malware. This tracking enables the attackers to verify the success of the trojan\u2019s distribution and manage the spread of the infection.<\/p>\n

\"\"
Figure 4. Additional messages displayed by the malicious website<\/strong><\/figcaption><\/figure>\n

It is important to note that the domain nvidrive[.]com<\/strong>, used by the threat actors to distribute the trojan, was registered in September 2024 through NameCheap, Inc<\/a>., a domain registration and hosting<\/a> provider, which also offers domain privacy services. The main characteristics of the domain are the following:<\/p>\n