Banking Trojan evolves from distribution through porn to phishing schemes

While starting out in Brazil, the malware may now also be present in Europe.

A banking Trojan focused on Brazilian targets has evolved from using pornography as a distribution model to phishing email models. 

ESET researchers have named the Trojan Ousaban, a mixture of "boldness" and "banking trojan." 

Kaspersky researchers track the malware as Javali, one of four major banking Trojans in Brazil -- alongside Guildma, Melcoz, and Grandoreiro. 

Thought to have been in active circulation since 2018, the malware is written in Delphi, a coding language commonly employed for Trojans in the region. 

The term "boldness" has stemmed from the malware's roots in using sexual imagery as a lure and distribution vector. According to the researchers, some of the images used could be considered "obscene." 

However, Ousaban has moved on since its roots in pornography and has now adopted a more typical approach in distribution. Phishing emails are sent using themes such as messages claiming there were failed package delivery attempts that ask users to open files attached to the email. 

The file contains an MSI Microsoft Windows installer package. If executed, the MSI extracts a JavaScript downloader that fetches a .ZIP archive containing a legitimate application which also installs the Trojan through DLL side-loading. 

A more complicated distribution chain has also been traced, in which the legitimate app has been tampered with to fetch an encrypted injector that obtains a URL containing remote configuration files for a command-and-control (C2) server address and port, as well as another malicious file that changes various settings on a victim's PC. 

Ousaban contains typical capabilities of a Latin American banking Trojan, including the installation of a backdoor, keylogging, screenshot capabilities, mouse and keyboard simulation, and the theft of user data. 

When victims visit banking institutions, screen overlays are employed to harvest account credentials. However, unusually for malware in the region, Ousaban will also attempt to steal account usernames and passwords from email services by using the same overlay technique. 

ESET says the Trojan's persistence mechanism includes the creation of either a .LNK file or VBS loader in the Windows startup folder, or alternatively, the malware will modify the registry. In addition, Ousaban uses Themida or Enigma binary obfuscation to hide its executable files and will inflate their sizes to roughly 400MB "to evade detection and automated processing."

Kasperksky says that Javali/Ousaban has expanded beyond its Brazilian base in the past year or so, but ESET has yet to find any links between the Trojan and a suggested presence in Europe. 

Last month, ESET explored Janeleiro, a .NET Trojan operating in Brazil with similarities to Casbaneiro, Grandoreiro, and Mekotio. This banking malware is being used in targeted attacks against enterprise and government entities. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0