A recently discovered malware named MnuBot functions as a remote access trojan (RAT) and uses Microsoft SQL server database as command and control (C&C) server. The Delphi-based malware attacks in two phases, and appears to combine behaviors of recently discovered malware strains commonly used in Brazil.
In Phase 1 of the attack, the malware searches for Desk.txt and does nothing if it finds the file since it means it's running on a new desktop. If the file doesn’t exist, the malware creates a new desktop and switches the user to the new one. Server details are decrypted and used to complete the initial configuration, while MnuBot checks to find a similar name in its configuration of bank names and communicates with the C&C to proceed to the second stage.
Phase 2 of the MnuBot attack involves a RAT that provides the cybercriminal complete control. A web form overlay similar to the real banking website misleads the victim, prompting the user to enter credentials for access. Meanwhile, the cybercriminals can use the stolen credentials to make illegal transactions from their end. Attack and endpoint hijacking capabilities also include:
Research analysts see the masking of malicious network communication as regular MSSQL traffic as a detection evasion technique. The MnuBot developers can also dynamically change the malware’s activity by modifying the configurations directly on the server. This can prevent research analysts from investigating its origins via reverse engineering, as strings in the configuration include shutting the malware or the database server down once the threat actors detect queries on the commands and files.
[Read: Is online banking safe?]
Cybercriminals are developing new techniques to sharpen their fraudulent activities, therefore calling for new and updated security solutions and awareness to protect personal and enterprise data and systems. Here are a few ways to protect your financial transactions:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.