Came across this familia via this tweet.
This malware uses a single .rar file downloaded from a remote resource and is geofenced to MX IP addresses and contains within a .CMD file with the payload inside it. In essence it targets Outlook stored passwords in registry and chrome databases.
Once the .cmd file runs, it calls the following commands in sequence:
more +5 C:\Users\user\Desktop\FichaReembolso.cmd
certutil -decode -f ~~ "C:\Users\user\AppData\Roaming\jkjlhkj\exe\v22.214.171.124_20180315\RINDI%xxxxx%.exe
cmdline: certutil -decode -f C:\Users\user\Desktop\FichaReembolso.cmd "C:\Users\user\AppData\Roaming\jkjlhkj\a3x\X2NI\FichaReembolso.a3x"
wmic process call create '"C:\Users\user\AppData\Roaming\jkjlhkj\exe\v126.96.36.199_20180315\RINDI%xxxxx%.exe
It uses the more cmd to check that the file does indeed exist and then proceeds to decode the payload contained within the CMD line file. This payload contains an autoit binary as well as a compiled autoit3 script to execute the payload. The following structure is created:
The folder A3X/X2NI contains the compiled autoit script which once decompiled allows us to continue extracting data. The decompiled autoit3 script contains auxiliary functions to download files and checks if all the required files are present. It needs the SQLite3 DLLs to query the browser's database files and check for the history via this query:
In these samples the list of banks targeted are all from MX, as expected from the geofencing restrictions:
If any of the URLs is present in the database, then the data is posted to the remote server (OS Language, Keyboard layout, ISADMIN, Architecture) and uses taskkill to kill the chrome.exe process. It uses the user-agent Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
It does not only target chrome but also tries to steal stored outlook POP3/SMTP/IMAP credentials found on the target machine by extracting them from the registry. Auxiliary functions allow the script to decode the stored data and unprotect it by making use of WINAPIs (CryptUnprotectData)
The script makes use of binaries that are already present in the system to gather all the required information, it takes advantage of WMIC to identify the infected OS operative system. Additionally, it has an auxiliary function to check if it is Windows 7:
Only after it has finished its tasks it will prompt a MessageBox containing saying there was an error during the execution and attempts to run a VBS file. I suspect the VBS file is some sort of cleanup file OR the next stage, but I was not able to get it during my analysis. (If you came across it, please let me know)