XPCTRA
Description
(SANS) • The infection vector (malspam) links to a supposed PDF invoice, which actually leads the victim to download an executable file (dropper); • Once executed, the dropper downloads a “.zip” file, unzips and executes the malware payload; • It then begins a series of actions, including: o Persists itself into the OS, in order to survive system reboot; o Changes Firewall policies to allow the malware to communicate unrestrictedly with the Internet; o Instantiates “Fliddler”, an HTTP Proxy that is used to monitor and intercept user access to the financial institutions; o Installs the Fiddler root certificate to prevent the user from receiving digital certificate errors; o Points Internet Browsers settings to the local proxy (Fiddler); o Monitors and captures user credentials while accessing the websites of 2 major Brazilian banks and other financial institutions; o Stolen credentials are sent to criminals through an unencrypted C&C channel; o Establishes an encrypted channel to allow the victim’s system to be controlled by the attackers (RAT); o Monitors and captures user credentials while accessing email services like Microsoft Live, Terra, IG and Hotmail. These accesses are used to spread the malware further;
After posting EngineBox malware analysis last month, through community feedback, I came to know that the threat embedded a framework called QuasarRAT developed in C#. The goal of this framework is to provide a tool for remote access and management of Windows computers— hence the name, RAT (Remote Access Tool).
Names
| Name |
|---|
| XPCTRA |
| Expectra |
Category
Malware
Type
- Banking trojan
- Backdoor
- Info stealer
- Credential stealer
Information
Malpedia
Alienvault Otx
Other Information
Uuid
3d13907b-bc97-4f76-aa99-7bb35a217159
Last Card Change
2020-05-24