A recently discovered banking Trojan campaign has been abusing a legitimate VMware binary to trick security products into allowing malicious binaries to load, Cisco researchers reveal.
The campaign, the security researchers say, also attempts to remain stealthy by using multiple methods of re-direction when infecting the victims’ machines. Furthermore, the attackers use a variety of anti-analysis techniques, while also employing a final payload written in Delphi, a technique rather unique to the banking Trojan landscape.
Focusing mainly on users in Brazil, the attack starts with malicious spam emails featuring messages written in Portuguese. The attackers are also attempting to convince the victim to open a malicious HTML attachment posing as a Boleto invoice.
The HTML file contains a URL that first redirects to a goo.gl URL shortener, which in turn redirects to a RAR archive containing a JAR file with malicious code that instalsl a banking Trojan. The Java code sets up the working environment of the malware and then downloads additional files from a remote server.
The Java code renames the downloaded binaries and also executes a legitimate binary from VMware, which is even signed with a VMware digital signature, the security researchers say. By loading a legitimate binary, the attackers attempt to trick security programs into trusting the libraries it would load.
One of these libraries, however, is a malicious file named vmwarebase.dll, meant to inject and execute code in explorer.exe or notepad.exe. The banking Trojan’s main module was designed to terminate the processes of analysis tools and create an autostart registry key.
The module also gets the title of the window in the foreground of the user, thus being able to identify if any of the windows pertains to a targeted financial institution located in Brazil. The Trojan then uses web injects to trick users into revealing their login credentials.
One other binary the main module loads is packed using Themida, which makes its analysis very difficult, the security researchers say. The malware was also observed sending specific strings to the command and control server each time an action was performed on the infected system.
“Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis,” Cisco concludes.
Related: Targeted FlokiBot Attacks Hit PoS Systems in Brazil
Related: Banking Trojan Uses NSA-Linked Exploit

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
