Brazilian Banking Trojan Switches Distribution Method

A banking Trojan used primarily in Brazil has switched up its game. Previously being distributed primarily through pornography, the Trojan, which goes by several different names, has made the evolutionary step to being spread through phishing email campaigns.

The banking Trojan targeting victims based in the South American country has been called a few different things by different research groups. Some of those names include Ousaban and Javali. The general consensus is that the same Trojan has been in circulation since 2018.

However, it was previously distributed using pornographic images. This is why another group of researchers calls the malware Ousaban - a portmanteau term combining the Portuguese word for "boldness" and "banking".

The banking Trojan is curiously written in Delphi - not the most common programming language nowadays, but popular with malware developers in South America.

The change in distribution method for Ousaban is recent. The malware is now being spread using malicious phishing emails. The topics used to reel victims into opening the malicious attachments in the phishing mail are usually abusing fake delivery notifications.

The attachment is usually an MSI installer package. When executed, the MSI installer deploys a JavaScript downloader, which in turn grabs an archive file that contains a normal application.

The trick is that the malware also installs the malicious banking Trojan, using a technique called DLL side-loading. It involves planting the malicious payload, which is then invoked by a legitimate application.

In terms of functionality, Ousaban has all the trappings of regular banking Trojans. It can log keystrokes, capture screenshots, exfiltrate user information and simulate mouse and keyboard activity.

The Trojan uses screen overlays when the user hits a banking website and starts entering credentials, effectively stealing the login information. One difference that sets Ousaban apart from other banking Trojans used on South American victims is its ability to steal login credentials from email accounts as well.

To ensure persistence on the infected system, the Trojan either creates a .lnk shortcut or a VBS loader that are placed inside the system startup directory. Obfuscation is also present, with the malicious payloads sometimes reaching a fantastical 400 MB in size, just because of the heavy obfuscation.

May 5, 2021