Recently we came across a tweet shared by StopMalvertisin, which was part of an ongoing cyberattack on the banking customers in Latin America. From the pdb of the malware, we came to know that it had some interesting strings like “KL_Final” andscorpion”, indicating it being a variant of KLBanker Trojan

The sample that we analysed, has functionalities, similar to that of an old KLBanker variants Janeleiro and Amavaldo. It is capable of tracking the user’s activity by creating a backdoor that allows the attacker to take screenshots, access clipboard data, and display fake pop-up dialogue boxes. 

Let us now get into the nuances of it.

HTML smuggling

The attackers first sends out a spear phishing email to the victim with a malicious link pointing towards a html page with a malicious javascript. The javascript contains a whole MSI binary encoded in base64. This method is called HTML smuggling. The script will drop the MSI package as a zip file to the default download location, as shown in Figure 1. 

Figure 1: JS code that downloads the MSIfile as zip

Execution of the MSIfile

The MSI file was created using the product “Advanced Installer from the company Caphyon. This product is used to create the custom msi installer. The malware file uses Advanced installers’s Custom Action and VM Detection features, which is achieved by binaries AIcustAct.dll and vmdetect.exe respectively, present inside the MSI file

The MSI file will only execute if it satisfies the following conditions,

  • Should have active Internet Connection
  • Machine should not be a VM

If the conditions are not met, it shows a pop-up message stating ‘SFPDF CLOUSX requires Internet connection for installation. Please check your network config’ before terminating itself.

The Custom Action executes a JScript code. The JScript contains obfuscated Source URL, target path and run entry location (for persistence) for the final Banker payload. All its functionalities are executed by running multiple WScript shells. The payload is stored as a PNG file Amazon S3 bucket. The PNG file is downloaded as a ZIP file under the user folder as shown in Figure 2. 

Figure 2: Renaming .png to zip 

The ZIP file contains two files, a benign executable and a malicious DLL, which is renamed and executed. Persistence is achieved by adding simple autorun entries for the executable.   

Figure 3: Deobfuscated artefacts

JScript drops a text file in the User’s temp directory as fones.txt, with a single NULL string inside, which the malware uses as a marker for infected machines. Upon execution, in an infected machine, the victim is shown a benign Adobe’s website in a browser.

DLL Sideloading

The ZIP file contains two files namely, predestinado.dmp and gratograto.dmp. The predestinado.dmp file is a benign executable, originally named identity_helper.exe, a file associated with Microsoft’s Edge browser. The file gratograto.dmp is renamed as msedge_elf.dll which is the malicious banker payload. 

Once the benign file is executed, the malicious DLL is loaded instead of the original msedge_elf.dll from “%programfiles%\\Microsoft\\Edge\\Application” folder.

The DLL is a .NET binary and has two export functions, just like in the original version of the msedge_elf.dll. Notably, both the export functions have the same functionality as shown in Figure 4.

Figure 4: Both the export function pointing to similar functions

When the benign executable (identity_helper.exe) is executed by the MSI installer, the malicious msedge_elf.dll will get sideloaded to its process, and while the said application calls one of the export functions from the loaded msedge_elf.dll, it will start executing the malicious code.

Analysis of the .NET executable

The KLBanker Trojan is known to have used the open-source library called EncryptDecryptUtils to encrypt strings. The newer variants use AES encryption for the same purpose. The encryption takes place in the following order: it encrypts the strings using AES with the key as a MD5 hash computed from string “1234”, followed by base64 encoding of the encrypted strings. All the hard coded strings are stored in a similar fashion. RC4 encryption algorithm is used for encryption of the collected data as shown in Figure 5.

Figure 5: Encryption of data using RC4
Figure 6: Checking for cda_virei.cnl file Presence

The first function, as shown in  Figure 6, checks for a file named “cda_virei.cnl” under the  user’s %Appdata% path, which gets created upon the attacker’s request. The relevance of this file is discussed in the last section.  If the file is found, a string “VERI_2.0”, otherwise the string “2.0”, is sent to the C2 server. This function is repeated throughout the program multiple times. We believe the number “2.0” is the current version of the Trojan banker. 

Figure 7: Getting the IP and port number of the C2

In the next stage, as shown in Figure 7, the IP address and port number of the C2 server is retrieved. The encoded encrypted port number (sinapolis.PARACOTSSS = 4672) is hardcoded within the binary. The URL with domain (as shown in Figure 7), stores a pastebin website URL, which holds the IP address of the C2 server. The pastebin string is also stored in the format similar to the hardcoded strings. 

One of the function, which we believe is part of the legacy code, had an encoded URL  “hxxp://20[.]56[.]5[.]27/maximajoe/index[.]php/ip[.]txt”, which might have served the C2 IP address in the previous variants.

Once the C2 IP and port is retrieved, there is a sleep for 2 seconds, after which visual configurations for a fake dialogue box is initialised. After which another function responsible for the stealing victim’s data is invoked. The following is the set of activities conducted by the malware on the victim side. 

  • Getting the user account information and system information, and checking the user account type
  • Creating a mutex for the application as ‘aaa22225Adx,Avrrthr@232323
  • Creating a thread for the function ‘Apesinfox’, which will check whether the user status is idle or active continuously and will set a variable as absenta or activo accordingly. Also sends this status to the C2.
  • Creating a new object as _client for the class ‘Labirintos’ (a class having multiple functions related to C2 packet transmission and connections)
  • Initialising the newly created object _client with two more attributes ClientState (function to check the user connectivity to C2) and ClientRead (contains functions to steal victims informations using screenshots, tracking keystrokes, mouse clicks, show fake pop-up messages and send to C2 on attacker’s command) as shown in Figure 8.
Figure 8: Dynamic functions invoked by the attacker

It then creates a timer object to load a function as an event for every 1 second, which is responsible for the following activities. 

  • Returning the name and processID of the foreground window as shown in Figure 9.
Figure 9: Retrieving ProcessID and Title Name of the bank page in an application
  • Check if any running process contains the string ‘itauaplicativo’ (application used by itau banking customers). If so, it will kill that process and create a process for chrome.exe that will open a webpage for the url ‘https://www[.]itau[.]com[.]br/’ which is the official website of itau bank.
  • It has a huge collection of bank names like BANCOBRASILCOMBRAAPFLOGIN, INTERNETBANKINGCAIXA, ITAU and others (shown end of blog), which correspond to the title name of each bank’s webpage as shown in Figure 10. 
Figure 10: Checking if the Title Name contains the bank name it wants
  • If any webpage in the list is found, it will check if a specific file is present in the %Appdata%/Roaming folder with name cda_<bankspecific>.cnl (as stated before these .cnl files are created by attackers using a function), if so, it will kill the process holding that web page and show a pop-up window as the ‘system temporarily unavailable. try later’. Otherwise, it will close the timer event, then check and start the connection to C2 as shown in Figure 11a and 11b.
Figure 11a: Kills process if cnl file present or connect to C2
Figure 11b: Connection to C2

Once the connection to the C2 is established, the attacker needs to send specific commands to the affected machine in order to receive keystrokes, screenshots, and to show fake pop-up messages luring victim’s into entering crucial credentials. 

The C2 commands from the attacker are encrypted using the RC4 algorithm, which will be decrypted at the user end. Figure 12 and Figure 13 shows the two functions that will be executed on the attackers command to show fake pop-up messages using a textbox.

Figure 12: Function responsible to show fake update messages
Figure 13: Configuration of the fake dialogue box with a textbox

  • The below images (Figure 14,15 and 16)  are stored in the resource section of the binary, they are the fake messages that are specific to each bank mentioned in Figure 10.
Figure 14: Fake dialogue box for Bradesco login
Figure 15: Fake update message
Figure 16: Fake bank message

We at K7 Labs provide detection for KLBanker. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.

Indicators of Compromise (IOCs)

NameDetection NameHash
gratograto.dmpTrojan ( 0058c1251 )BFA88D8FFC1BE241807D6D8D8874CCFC
MNDATO.LICHYNHPP.msiTrojan ( 0001140e1 )251B406EE34BAE0EDE2110711818222C







Decrypted Bank Strings

Banco do Brasil

Caixa Economica







Mercado Pago


Banco Inter

Banco Stone

Banco Uniprime


Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Brazilian Banking Trojan Resurfaces”