Mnubot Banking Trojan Used in Attacks on Brazilian Companies

June 02, 2018


A new banking Trojan – MnuBot – has been discovered by IBM X-Force academics which uses an uncommon way of communication. Rather than using a command and control computer networks like most other malware families, MnuBot utilizes Microsoft SQL Server to get its initial configuration as well as for communication.

The MnuBot banking Trojan is being utilized in targeted attacks in Brazil and its main job is to make fake bank transfers through users’ open banking periods. MnuBot utilizes full-screen social engineering overlay forms which conceal the attacker’s actions, letting them carry out fake bank transfers unknown to the user. Since information is entered into the overlay form, it is captured and utilized in the underlying open banking period.

The precise technique of distribution of the malware is not known, even though X-Force scientists clarify that most banking Trojans utilized in Brazil are dispersed through electronic mail.

X-Force scientists clarified that the malware has the usual characteristics of a remote access Trojan (RAT) and provides the attacker complete control of an infected appliance.

By utilizing the Microsoft SQL Database server for communication as well as to get instructions, the communications are tougher to discover that standards C2C communications.

This is a two-stage malware variation that utilizes two base parts for attacks. Firstly, MnuBot hunts for a file known as Desk.txt in the AppData Roaming folder. MnuBot utilizes this file to establish which desktop is operating. If the file isn’t present, it is generated by the malevolent program and the user is shifted to the newly generated desktop. That desktop operates side by side with the genuine desktop.

The malevolent program then verifies window names similar to the bank names in its configuration file. When one is known, it asks the server for the second phase of the attack based on the bank that is being utilized. An executable – Neon.exe – is then copied to the C:\Users\Public\ folder. It is this executable that carries out the main attack, providing the attacker complete control of the infested appliance.

The malevolent program can take screenshots of the browser as well as desktop, logs keystrokes, mimics user clicks and keystrokes, generates bank overlay forms, and can restart an infected machine. By utilizing overlay forms the attackers can take data and insert the information into the open banking period. If additional information is required in order to carry out a transfer, the malevolent program can generate another overlay form to request the needed information.