Analysis of Latin American Bot (Vadokrist) : Part I - Mechanism & Dropper

-

 

EXECUTIVE SUMMARY

        Vadokrist Trojan aims to steal credentials from victims’ machines and to create banking overlay windows when the victim visits their home banking portals. Here is the list of known Latin American banking Trojans

                 • Grandoreiro

                 • URSA

                 • Javali 

                 • Vadokrist (aka) Mispadu

DISTRIBUTION

        Vadokrist is propagated via social engineering schemas – namely, phishing/malscam campaigns

TECHNICAL ANALYSIS

           Abusing MSI (Windows Installer) was one of the growing threat in cyber industry. In this sample the msi file acts as a dropper for VadoKrist Trojan



 

       Here we can see the obfuscated JS code Binded into Windows Installer (MSI) which drop a zip file and extracts Vadokrist Trojan 




 Here is the Full obfuscated code of the dropper

   

 

           

              

           

Popular posts from this blog

Lock -(B)- it : A Tale of Ransomware

-
Image
EXECUTIVE SUMMARY              * LockBit is one of the world's most active ransomware group connected to various high-profile attacks. This Blog consists of below Intel related to LockBit Group                                     • LockBit & Underground Forums                  • Affiliates & Partners                 • LockBit Blog - Leaked Data's                  • LockBit's Builder       LOCKBIT & UNDERGROUND FORUMS        * LockBit's presence in reputed Russian Underground Forums allows it to Hire affiliates for their ransomware & other malware developers as per need. Some of the most interesting  profiles are posted below.   Profiles (LockBit's Profile on one of the top russian underground forums) (LockBit's Profile on other Russian board) (LockBit's post's on Same Underground Forum) (Lockbit sponsered competiton of $15,000 AFFILIATES & PARTNERS                             * As a RaaS Model , LockBit requires affiliates to get ini
Read more

Analysis of Remote Template Injection used by APT

-
Image
  EXECUTIVE SUMMARY          Attackers are continually trying to find new ways to target users with malware sent via email.Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code to get initial access. There are numerous techniques used on these malicious docs to bypass anti-virus detection (VBAStomping, obfuscation, etc.). One such method is Remote Template Injection.   TECHNICAL INVESTGATION          Remote template injection was initially found in 2017 , later used by many APT's such as Gamaredon , Lazarus and many more .It was also listed on MITRE (T1221)   In this scenario the template with Macro will be hosted on the attacker's server will get executed when the victim clicks on enable macro   ANALYSIS OF GAMAREDON's SAMPLE            The sample of gamaredon group was found by researchers and shared on Malware Bazaar  Upon opening the sample in word, we can se
Read more