A newly documented backdoor is being used by a threat group to install well-known banking Trojans, along with a point-of-sale (POS) malware dropper, Proofpoint security researchers warn.
Dubbed Ostap, the threat is a JScript backdoor that security researchers have associated with a Delphi dropper called MrWhite, which is used to check infected systems for POS malware and download some if none is found. The actors behind the duo, researchers say, make use of banking Trojans such as Dridex, Ursnif, and Tinba, as well as the POS threat known as AbaddonPOS (and the TinyLoader loader).
The adversary was observed focusing on financial services in countries such as Germany, Austria, and the United Kingdom, but targeting other verticals and countries as well. For distribution, the group used spam emails with malicious Microsoft Word documents attached to them, Proofpoint says.
The distribution campaigns associated with this actor weren’t too large, ranging from only a few targeted messages to several thousand broadly distributed emails. The observed messages were written in German and English, depending on where the intended victims were located.
The backdoor remains active on the infected computer after the malicious document has been closed, writes a copy of itself to the current user’s Startup folder for persistence, and also sends the computer name to the C&C server. Moreover, it can receive and run an executable payload or a script file (with “certutil”) from the C&C.
Typically, the malware is used to download an executable from the server, and that payload is either a banking Trojan (the Dridex botnet ID 3302 to target UK and French organizations, Ursnif ID 1068 to target Poland, or Tinba to target German and Austrian organizations), or the MrWhite malware. The backdoor’s operators, researchers say, rotate the payloads on a daily basis.
Written in Delphi, MrWhite was designed to compare the running process names on the infected machine against a hardcoded list. As soon as it finds a process of interest, it sends the entire process list to the C&C server, and then drops TinyLoader onto the machine.
First, MrWhite sleeps for 120 seconds, after which it combines the hardcoded list of processes into a single string and reverses it. Next, a specific string is reversed (from ‘VSC OF/ tsilksat’ to ‘tasklist /FO CSV’), and the command executed to produce a list of running processes in a comma-separated format and to search the list for processes of interest. If one is found, the list is sent to the C&C over HTTPS.
“Three of the MrWhite samples analyzed for this research dropped and executed an embedded TinyLoader immediately after sending the tasklist to the C&C. All of these samples dropped exactly the same instance of TinyLoader; however a different filename was used in each: ‘000.exe’, ‘001.exe’, and ‘5678987654.exe’,” Proofpoint researchers say.
Although TinyLoader wasn’t observed receiving any commands to download additional payloads, the malware was previously associated with the AbaddonPOS, and a recent payload was found to communicate to the same IP as the TinyLoader dropped by MrWhite. The AbaddonPOS malware searchers for credit card data on the infected machine and then exfiltrates the data to the C&C, encoding it using previously analyzed encoding techniques. However, the second XOR key used by this instance is the same as the IP address.
“Threat actors are constantly exploring new approaches to delivering and monetizing malware. In this case, a new group is using an undocumented backdoor and a new loader to deliver familiar banking Trojans and POS malware. By introducing new malware variants, both of which drop payloads that are often caught by existing defenses, the actor group makes detection more difficult and makes it easier to swap out final payloads,” Proofpoint says.