A newly discovered banking malware that's been actively targeting Brazilians behaves as a remote access trojan (RAT) and uses a Microsoft SQL Server database server as an unconventional command-and-control infrastructure.
Dubbed MnuBot, the Delphi-based malware produces web form overlays that either trick victims into entering key bank account information or stall them while cyber-criminals hijack the user endpoint and perform illegal transactions. But its capabilities also include creating browser and desktop screenshots, keylogging, simulating user clicks and keystrokes, restarting machines, and uninstalling certain antivirus software, according to a 29 May blog post published by IBM's X-Force research unit.
After the initial infection, MnuBot uses hardcoded and encrypted server details in order to connect to a malicious Microsoft SQL Server database server and commence the configuration process. Without this configuration, which determines queries and commands that can be performed and banks websites that will be targeted, the malware shuts itself down.
"It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic. To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic," explains Jonathan Lusky, blog post author and IBM X-Force malware researcher.
Lusky added that this particular configuration process also allows the cyber-criminals behind MnuBot to dynamically change their activity as needed, as well as to stifle researchers by simply removing the server, making it exceedingly difficult to reverse engineer malware samples.
MnuBot's attack takes place over two stages. First, the malware searches the AppData Roaming folder for a file called Desk.txt, which it uses to determine which desktop is running on the infected machine. If the file exists, the malware knows it's running in the current desktop, but if the file is missing, the malware will create a new desktop that runs parallel to the legit desktop, and switch the user to it.
Within the desktop, MnuBot repeatedly checks the foreground window name until it finds a name similar to one of the banks it is programmed to target. At that point, it will query its C&C server for the second-stage executable (saved as C:\Users\Public\Neon.exe), which includes the social engineering forms for targeted banks, as well as the RAT capabilities that grant criminals full control over affected machines.