![]() Script code for sending stolen data to C&C Content ScriptĬontent script is also obfuscated similar to the background script and can be read after deobfuscation. It then downloads the remote files, also appends extension ".off" and sets a hidden and read-only attribute for these files.Ĭhrome extension files are downloaded from following URLs:ĭelphi file checks to see if chrome is installed at “C:\Program Files\Google\Chrome\Application\chrome.exe” or “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” it searches for all Google Chrome shortcuts in c:\ drive and if found, change their destination to “ įigure 10. The button callback creates a directory structure path generated earlier by the FormShow callback and sets hidden attributes. After that, the timer callback triggers a button callback that, in turn, downloads the extension files from the server. Main Activity Flowchart Analysisĭelphi file contains URLs in the TEdit field, a timer to start activity and a button with an OnClick event that downloads Chrome extension files.įirst, the callback on the FormShow event is triggered, which will get to the %APPDATA% path, decrypt the “/Microsoft/” string, and generate two random strings and connect them. Steals cookies and credentials using extensionįigure 1.Targets Banco do Brasil (and bb.com.br) customers.Disables Google Chrome developer mode extension warning using code from Stackoverflow.Search and modify target of all Google Chrome shortcuts to load malicious extension.Downloads and installs Chrome extension files as.While going through new malware samples in our cloud we came across an interesting payload written in Delphi which unlike traditional banking Trojans uses a malicious chrome extension for stealing sensitive banking information from Banco do Brasil customers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |