The remote overlay financial virus Mispadu, also called Ursa, targets banks in Spanish- and Portuguese-speaking nations, including Mexico, Colombia, Argentina, Chile, Portugal, Spain, and more. To put it simply, remote overlay malware is a harmful application created to take over a victim’s computer by managing their keyboard and mouse while the fraudster watches the victim’s live screen.
Command and control C2C communications encoding was one of the adjustments made to Mispadu’s operations once it reopened.
Pre-initialization of C2C communications
The goal of C2C communications
The malware’s ability to communicate with its operator as a remote overlay is essential to the attack’s effectiveness. Typically, the fraudster sends a set of operating orders to the malicious application running on the victim’s computer via this connection.
A lot of overlay assaults, like taking money from the victim’s bank account, are carried out while the fraudster watches and manages the victim’s live sessions.
Timing of C2C communications
Although it would seem obvious that contact with the scammer would start as soon as the victim executed the infected application, this is not the case. The fraudster is at serious danger since such contact might cause antivirus software to issue alarms.
The communication is only started in scenario and the majority of other remote overlay scenarios when the user visits one of the malware’s targets, namely the bank websites of Spanish- or Portuguese-speaking nations.
You can also read Enable System Integrity Protection mac Instances in AWS
C2C communications initialization
Communication with the C2C server begins when the user views one of the malware’s target lists. The WIN32 Socket APIs, which offer the most practical means of this kind of connection, are used to do this.
The virus fills in the socket’s details, such as the IP and destination port, before it is configured.
The C2C server receives the message “GFHHVG..” once the socket is connected.
Receiving C2C communications
The malware waits for input from the C2C server when the socket is connected and the beacon is transmitted to it. Depending on the message’s sequence, “read” methods handles the message once it has been received:
Parsing the messages received from the C2C is the goal of these routines, which are comparable to one another.
The first function, “TwYHJk1_wC51Read,” will be discussed now:
The virus parses a message by decoding it and comparing it to a string that represents a command after receiving it from the C2C. “|SocketMain|>” is the first compared command in the snippet’s first “read” function. The comparison instructions are different in the other “read” functions.
Take note of the function located at 0x7364A8.
The entire message must be decoded by this function. It is given a string and produces a decoded string via a number of mathematical operations.
Let’s examine that function and find out how it works.
Encoding of C2C communications
Goal
The purpose of communication encoding is to hide the fraudster’s goals and strategies. Either current communication algorithms or specially designed ones can be used to achieve this. As previously demonstrated, the message “GFHHV..” seems to be encoded, which increases the possibility of encoding because it seems random and meaningless.
Execution
Examining the C2C communications decoding function reveals that the decoding process is implemented simply and accomplishes the goal of decoding messages sent by the C2C server. Messages delivered to the C2C server are likewise encoded using the same method.
The following stages will be used to break down the decoding process:
Step 1: The first step is to convert the first character (“G”GFHHVGCGEFUGAFOFUGCFMFXHVFJ@) to ASCII. The value of it is 71. Subtract 65 (the ASCII value for “A”) from this number. Six is the outcome.
Let us go back to 6 later because it’s repeating value during the decoding process.
Step 2: Convert the character to ASCII (“F” GFHHVGCGEFUGAFOFUGCFMFXHVFJ@). It is worth seventy. Subtract 65, which is the ASCII value for “A.”
Five is the outcome.
Assume that it is a variable X.
The following equation may be used to represent the two lines of assembly code:
(X + 4X) + (X + 4X)*4 => 25X = 25*5 = 125
Step 3: Select the ASCII value for the following character (“H”): 72. Subtract “A” from the ASCII value: outcome 7. Add the outcome of the preceding step to that value. 125 plus 7 equals 132.
Subtract the result of step 1 and a constant value of 66 (‘B’) from that value. 132 minus 66 minus 6 equals 60. “<” in ASCII. This is the first character in decoded string.
Step 4: Repeat Step 2 + Step 3 with the subsequent pair of characters (“H” & “V” GFHHVG..), attaching the subsequent decoded character each time to construct the decoded string.
Step 5: The end of the string is represented by “@” GFHHVGCGEFUGAFOFUGCFMFXHVFJ@. At this point, It may display the outcome of decoding the encoded text: |PRINCIPAL|>
The first communication signal that the virus delivered to the C2C server is represented by this string.
Something to keep in mind
Different encoded characters can produce the same decoded character as a result of this encoding and decoding process.
For instance, AFV and GGC both map to the same character, P.
For a more complex case, here’s another example. Speaking of strings, the identical plaintext would be obtained by decoding “GFHHVGCGEFUGAFOFUGCFMFXHVFJ” and “AFBHPFVFXFOFTFIFOFVFGFRHPFD.”
Such encoding and decoding methods have the advantage of making it almost hard to understand the malware’s manner of operation without the decoding algorithm if the network is being watched. This is because each command has a vast array of encoding possibilities, which makes the malware’s similar method of operation seem to the network monitor in a new way each time.
You can also read What are The Types of Ransomware and Ransomware History
C2C commands
Execution
The sample’s next steps are rather simple after the instruction has been deciphered. Because each command has a distinct operating role, the fraudster may carry out a variety of actions on the victim’s system, such as controlling the mouse and keyboard and monitoring the screen, among many other things.
Primary commands
Let’s examine the commands that the virus has put in place to allow the scammer to carry out different operations on the victim’s computer.
The virus signals the formation of the network by sending a beacon, represented by the symbol “<|PRINCIPAL|>,” to the C2C server when communication has been established.
After completing this first step, the fraudster has total control over the victim’s system and may carry out a variety of actions. The extraction of important system data is one essential command. The “<|Info|>” command, which exports basic information about the victim’s system, makes this possible. These include the Windows version, location, browser that is presently open, and the webpage that is currently being browsed. The malware’s example response to this command, which was transmitted back to the C2C server, is as follows:
“|Info|>Chrome<|>Bank x<|>Win 10It is 4:04:12 PM.
According to this answer, at 4:04:12 PM, the victim’s machine is browsing a webpage from Bank x while running Windows 10 and Chrome
There are several reasons why this information gets taken. Because various malicious tools may support different versions of the victim’s device, knowing the operating system of the victim’s device might make it easier to compromise their system with other malicious tools. Additionally, knowing the victim’s target bank site can assist the fraudster carry out a successful attack.
Conclusion
These days, remote overlay assaults are one of the most common threats to users’ bank accounts, presenting serious dangers to banks and their customers. The communication between the malware and its operators, which is essential to their operating strategy, is a crucial component of these attacks. To carry out such assaults, direct and real-time contact must be established. The virus aims to add another brick to its protective wall and make it more difficult to reverse the operation by encrypting such communication. IBM’s main goal as cybersecurity specialists is to keep an eye on, examine, and stop these interactions in order to stop fraudulent schemes from being carried out successfully.
Staying safe
Users should regularly check their applications and uninstall any that look weird or hazardous to safeguard themselves.
It’s also important to check cryptocurrency wallets for unauthorised transactions and email accounts for unusual login attempts. The dangers presented by this changing assault paradigm can be reduced by remaining vigilant and proactive.
IBM Trusteer assists you in establishing identity trust throughout the omnichannel customer experience, detecting fraud and malware, and authenticating individuals. IBM Trusteer is used by more than 500 top companies to enable company expansion and safeguard their clients’ digital experiences.
You can also read Amazon Route 53 Resolver DNS Firewall prevents DNS threats
Thank you for your Interest in Cloud Computing. Please Reply