A

You're listening to the Cyberwire network. Powered by n2k.

B

Identity is a top attack vector. In our interview with Kavitha Mariapan from Rubrik, she breaks down why 90% of security leaders believe that identity based attacks are their biggest threat. Throughout this conversation we explore why recovery times are getting longer, not shorter, and what resiliency will look like in this AI driven world. If you're struggling to get a handle on identity risk, this is something you should tune into. Check out the full interview@thecyberwire.com Rubrik. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppl.com that'S-O-P p e l.com. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for join us.

C

We noticed an unusual connection. Someone was trying to run some PowerShell script in the environment of one of our clients and that triggered our attention, so we started investigating that. And that investigation eventually led to the discovery of this banking Trojan which we dubbed Attorney Dude.

B

That's Ziv Mador, VP of Security Research from Level Blue Spider Labs. The research we're discussing today is titled Spider Labs IDs new banking Trojan distributed through WhatsApp. Well, let's talk about that. What is the eternidad stealer and what makes it different from some of the other Trojans that you all have seen?

C

So first effect how it is distributed. It's distributed mostly using WhatsApp, which is a very popular application all around the world, but in Brazil in particular it targets Brazilian users because it limits itself only to computers running or that use the operating system language Portuguese. And it's quite different than other WhatsApp forms that were mentioned by the industry. For example, two months ago trendmark mentioned a similar campaign, but there are certainly some technical differences which we noted in the blog post. Clearly the threat actor behind this worm and others is investing in improving the technical capabilities of the worm. The way it's spreading how it infects users, the languages that are used, etc.

B

Well, can you walk us through the infection chain here? From the victim's perspective, what happens from that moment when a malicious message arrives?

C

Absolutely. So the message, first of all is personalized. There is a template they use that includes the victim's name, even Good morning if it's morning, and Good afternoon if it's afternoon. And then there's a link to a VPS file. That file will run only if it's a desktop, not a cellular phone, because the VPS requires certain applications from Microsoft that are typical to desktops, and therefore it usually will execute only on WhatsApp Web, which is the desktop version of WhatsApp, and will usually fail to run on mobile phones. Once the VBS files executes, it will download the batch file dynamically download the payloads from the attacker server. And from what we saw, it includes two payloads. One is the worm itself, which uses Python. It downloads all the contacts information from that WhatsApp account using normal WhatsApp APIs, sends those contacts to the attacker, to the attacker server, and then sends those messages to those contacts. And that's basically how that worm spreads. The second payload is the pecking trojan itself. So far we saw nearly a million contacts being sent to the attacker from about 10,000 infected clients.

B

And so what are they ultimately after here? Are they going after banking credentials?

C

Banking credentials for banks, for cryptocurrency, wallets for cryptocurrency services, et cetera. We included the full list in the blog post. There are about 15 banks there. In some of the biggest banks in Brazil and Argentina, about 18, 17 or 18 different cryptocurrencies services, etc. They try to capture the credentials and send them to attacker. And the rest is quite clear. What's the intent of the attacker?

B

Yeah, the research points out that the malware only activates when it detects Brazilian banks or crypto apps. Why wait until that moment?

C

So first it limits the execution to Operating Windows operating system that runs the Portuguese language. They try to limit certain clients. Brazil is a very large country with huge population. There are also Brazilian users in other countries around the world. That provides the attacker sufficient materials to work with. So that's one second thing. Once it installs the banking Trojan, it stays dormant unless the user accesses any of those bank sites or cryptocurrency services and then it triggers and it tries to capture those credentials. In some cases it use overlay Windows to capture those credentials and send them to the attacker.

B

We'll be right back. The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data Microsoft360 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365Copilot this episode is brought.

A

To you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed Sponsored Jobs to find the right people with the right skills. Skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed Data, Sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast terms and conditions apply.

B

You note that they make use of Delphi and Python in the campaign. What makes that interesting?

C

Delphi is a pretty old language. It exists for 30 years now. We have seen the use of Delphi in some malware binaries. Typically it's for people who are experienced with Delphi. There is plenty of tutorials and sample codes for Delphi, so for certain malware developers it's a handy language to use, but we certainly see other languages being used as well. As you noted, we also saw a transition from PowerShell to Python with this malware, PowerShell. Both languages are widely used by malware developers. It's commonly used because it's so common, especially in organizations because of its rich capabilities. But the same goes with Python. So we see both of them. Usually it reflects the preferences of the developers behind the malware, nothing beyond that.

B

You all pointed out that the IMAP based command and control is unusual. How does that work and why does that matter?

C

They wanted to get details from the attacker servers and they have to do it in a way that will be hard to detect. The use of the IMAP protocol, which normally it's a protocol used for email for getting details from the attacker server is unusual, so we pointed that out in the blog. But of course there are many other ways how they can do it over HTTP over other protocols as well.

B

You all noted that some of the actor email accounts lacked two factor authentication and you were able to verify behavior by logging in. What did that confirm for you?

C

We're able to see the emails that are sent by the malware. As we explained in the blog post, they send emails with information they collect from the infected computers. That allowed us to see that information and get leads. That led to the discovery of more details, some of them not mentioned in the blog post. We're working with law enforcement on this case. Some of the details were not included in blog posts. We hope to share them with the general public later on when this investigation progresses.

B

Understood. You mentioned that they're using an overlay attack for folks who may not be familiar with that. Can you describe it for us?

C

Sure, absolutely. So sometimes when they try to capture credentials from certain banking sites, the way they do it is they open artificial or fake windows that look very much like the bank site. So they might use the same logo and name of the bank, but what that allows them is to trick the user to think that they were launched by the bank. They type their username and credential there, and by using that method, they can steal those details.

B

Do you have any idea who might be behind this?

C

We have some leads, yes. We're working, as I mentioned earlier, with law enforcement, but there is nothing beyond that I can mention at this point.

B

Sure. So stay tuned.

C

Yes, exactly.

B

Yeah. How do you rate the sophistication of this group? I mean, it seems like part of their strategy is just to hit as many people as possible. They're gathering address books and so on. But the actual technology here, is it noteworthy?

C

I would say it's average. In general, running malware campaigns is fairly complicated. They have to program the server side and the client side, malware and the infiltration and the exfiltration, et cetera. There are many parts they have to take care of, and they show creativity. But the level of creativity and the level of technicality we see here is fairly average to other malware campaigns we monitor.

B

Okay, so what are your recommendations then, based on the information you've gathered? How can people best protect themselves?

C

So, first of all, be very cautious about messages you get over email, over the web, over WhatsApp, and everywhere, text messages, etc. Use your judgment. Do you expect that message? Do you know the sender is? The content? Looks like it's trying to urge you to do something suspicious. Open files that you're not familiar with, provide information you're not expected to provide. That's a type of by being vigilant, people can sometimes not fall prey to those attacks. Secondly, if you log into your bank account, watch out for any unusual behavior. Windows that don't look familiar, activity on the computer that is unusual, etc. All those things can indicate an infection. And of course, keeping an effective antivirus and other security software and 2fa. All those measures will help you stay reduce the risk to a minimum.

B

Our thanks to Ziv Mador from Level Blue Spider Labs for joining us. The research is titled Spider Labs IDs new banking Trojan distributed through WhatsApp. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwiren2k.com this episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester. Our executive producer is Jennifer Iban. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. If you only attend one cybersecurity conference this year, make it RSH. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.

C

Hablas Espanol? Spritz du Deutsch kom lunoszk if you.

A

Used Babbel, you would Babbel's conversation based techniques teaches you useful words and phrases to get you speaking quickly about the things you actually talk about in the real world. With lessons handcrafted by over 200 language experts and voices voiced by real native speakers, Babbel is like having a private tutor in your pocket. Start speaking with Babbel today. Get up to 55% off your Babbel subscription right now at babbel.com Spotify spelled B-A B-B-E-L.com Spotify rules and restrictions may apply.