A fileless malware, recently spotted by TrendMicro, steals online banking credentials by accessing remote control of users’ devices. It also steals devices and email accounts data. With this campaign, hackers go a step further by installing a hacking tool named, RADMIN onto devices. The malware targeted mainly users of relatively large Brazilian and Taiwanese banks. Banks affected included Banco Bradesco and Sicredi.
The Emergence of Fileless Malware
Fileless malware is becoming a popular tactic cybercriminals are using to steal data from users’ networks and devices. It emerged with the Gozi banking malware and was highlighted as a rising tactic to be aware of in the latest ENISA cyber trends report. Fileless malware is a malicious software hackers use to gain access to users’ devices without writing or leaving any of its activity on the device. With this tactic, the executable never drops on the disk. It instead uses executables already available within a device such as mshta.exe. In addition, this malware commonly uses Powershells, especially within Windows operating systems. Although given the name fileless it is not always entirely file less. This was the case with this recent malware found targeting Brazilian banks.
Benefits for hackers include a higher success rate in deployment and the ability to attack without being detected. Because of this, it leaves less of a trail behind. File- less malware became apparent after the Kovter Trojan as after, many actors used it as part of their infection method for ransomware and crypto mining malware. A recent Ponemon Institute report revealed that in 2018 35% of attacks they monitored were fileless malware attacks.
Methodology of Brazilian Fileless Malware
The malware targeting Brazilian and Taiwanese banks used multiple .BAT attachments to open an IP address. It then downloads a PowerShell containing the banking trojan payload and installs tools to extract users’ data. Alongside RADMIN, these tools included an information stealer. The information stealer is also capable of scanning for strings relating to the affected banks and other associated connections to determine whether to target the user. TrendMicro did not locate the stolen data during their analysis. However, such data tends to be used for fraudulent activities or resold on the dark web for hackers to carry out further crimes with. An example is to use it for larger mass mail spams.
Once in devices, the malware downloads the PowerShell codes, executes and connects to other URLs, extracts and renames the files. The renamed files still appear as genuine, marked as executables and image files. The system then restarts a few times as .LNK files drops into the Startup folder. By creating a lock screen, the user is led to enter their username and password and from here theft of credentials starts. It sends the credentials to the command and control server and deletes all files it inputted and created and removes any trails.
The fileless malware also installs a hacking tool on users’ devices
It then executes another trojan, recognised as TrojanSpy.Win32.BANRAP.AS which opens Outlook and extracts data from here to send back to the server. It is here RADMIN installs a folder (leaving a file named RDP Wrapper on the desktop), allows the hacker to have full access to the system, gain admin rights and shadows user activities unnoticed. Upon the reboot it deletes the newly installed files to again rid its trails and replaces them with malicious .LNK before loading the trojan for web applications. It is here it obtains credentials when users log onto their online banking and feeds it back to the command and control server.
Fileless malware will continue to rise
The amount of affected users are unknown. With fileless malware in general, there is no doubt there are likely to be more instances similar to this, especially in the banking industry. As usual, users should be careful and make sure regular patching takes place to cover vulnerabilities.