Fileless Malware Targeting Brazilian and Thai Bank Customers With Multiple Threats

Security researchers discovered a new fileless malware strain targeting bank customers in Brazil and Thailand with a hacking tool and at least two infostealers. Trend Micro observed that the malware, detected as Trojan.BAT.BANLOAD.THBAIAI, connects to hxxp://35[.]227[.]52[.]26/mods/al/md[.]zip to download PowerShell codes. It then connects to hxxp://35[.]227[.]52[.]26/loads/20938092830482 to execute the codes and contact other URLs before extracting and renaming its files so they appear to be valid Windows functions. From there, it forces the victim’s machine to restart and creates a lock screen designed to trick the user into providing his or her login credentials.

While it sets to work deleting all its dropped files, the malware downloads two other threats. The first, detected as TrojanSpy.Win32.BANRAP.AS, opens Outlook and sends stored email addresses to its command-and-control (C&C) server. The second, detected as HKTL_RADMIN, lets a digital attacker lock into the system once the user logs off, gain admin privileges and monitor screen activity.

Once the user logs back in after rebooting, the malware also drops a batch file with a command to load Trojan.JS.BANKER.THBAIAI. This Trojan monitors all sites visited by the victim for strings related to banking. When it finds something pertaining to a login session, it collects the information and sends it to its C&C server.