One of the cool things I like about my job is hearing about what our customers do as a business and how they are using our products to improve their security posture. Unfortunately, due to the nature of corporate network security, these stories rarely get told publically, and even when they are, it’s rare we get to hear from the actual end user. That’s why I am excited about several of the sessions happening next week at VMworld that involve Palo Alto Networks and our partners and customers. I want to draw your attention to two in particular.

In the first session, Novamedia, the Dutch Postcode Lottery, will talk about how they are securing financial transactions measured in the millions of Euros using our VM-Series and VMware NSX. Now the cool thing here is what Novamedia does for a business, which is to generate and distribute funds to charities around the world.

From their CEO, Boudewijn Poelmann, “The opportunities for development are distributed unevenly throughout the world. Many people are threatened by hunger and disease and nature and the environment are hit hard by human activity. Fortunately, there are many non-profit organizations and people throughout the world who work to change this. They are worthy of our support and in need of funding and publicity for their work. It was from this perspective that the Nationale Postcode Loterij was launched in 1989.” (You can read more about Novamedia’s mission here.)

To attend the Novamedia session, look for the session titled How Novamedia protects their software Defined Datacenter with Palo Alto Networks (#SEC5452) on Tuesday from 3:30-4:30.

In the second session, Novamedia will compete with Telstra, Tribune Media and California Department of Water Resources for the title of Best Software Defined Data Center (SDDC) Project. In this case, the cool factor lies not only in the customer use cases but also the fact that the winner will be one of our customers. How can I say that with such confidence? All four of the Best SDDC competitors use our products to protect their network in one way or another. TheBest SDDC Project session happens on Monday from 4:30-5:30 (#SDDC6254-S).

Roughly two years ago when we first released virtualized version of our next-generation firewall, Lee Klarich, our SVP of Product Management, made the statement that our customers were embracing virtualization at a rapid pace and the VM-Series was going to help them solve their cloud security challenges. Next week, at VMworld you can hear how this is happening first hand. And that is wicked cool.

Matt Keil

[Palo Alto Networks Blog]

Unit 42 for the past three months has been tracking a banking Trojan targeting victims in Brazil and the United States. Escelar originally surfaced in January of this year, and has since had roughly 100,000 instances of attempted infections.

Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks. Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers. These SQL servers are also used for command and control (C2) functionality.

The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.

The malware is able to control banking transactions conducted using Internet Explorer, and harvest email credentials, which are in turn used to spread the malware further.

Figure 1. AutoFocus map of victims receiving Escalar Trojan

Infection

Escelar is distributed almost exclusively through phishing emails. A large number of emails were originally seen in the January 2015 period, and more e-mails have continued coming since then at a somewhat slower rate.

Figure 2. Graph of sessions carrying Escalar each week in 2015

These emails are often labeled using the current date, and contain a generic message to entice the victim into running the attachment.

Figure 3. Example email containing Escelar

The following top file names have been observed in attempted infections against Palo Alto Networks customers. Many of them include resume/curriculum vitae themes using female names.

Name	Count
Curriclo_2015.exe	10227
Curriculum_Vitae_Bruna.exe	9110
Curriculum_Fernanda _Paiva.exe	6310
Curriculum_Izadora.exe	4242
Curriclo_Ana_Caroline2015.exe	2435
Seg-via-Boleto.exe	1880
Imprimir_2015.exe	1556
Curriculum_Laura.exe	1547
Curriculu_VItae-2015.exe	1453
Currculo_2015.exe	1428

Escalar Execution – Stage 1

After the victim unzips and executes the attached file, an executable written in .NET will be run. These executables are often obfuscated to thwart reverse engineers and any security controls that may be in place on the victim’s machine.

Important string names within Escelar samples are obfuscated using various cryptographic libraries. We have identified samples using both RijndaelEnhance and TripleDES.

Figure 4. Cryptographic function contained in Escelar

Figure 5. Encrypted string and decrypted version stored as a comment

This executable has limited functionality, and is only responsible for downloading an additional executable and establishing persistence via the Run registry key.

It begins by generating a random path of 8 alphabetic characters in the %APPDATA% directory. An executable name of 15 random alphabetic characters will hold to a soon-to-be-downloaded file. Escelar then makes a direct connection to a remote Microsoft SQL server and downloads a raw binary file to this local location.

Figure 6. Microsoft SQL connection

Figure 7. Acquiring raw binary image from Microsoft SQL server

Figure 8. Raw binary image

After this file successfully downloads, the following registry key is written to ensure persistence across reboots.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [Computer Name] : [Path to Executable]

Finally, the downloaded malware is executed via a call to Interaction.Shell().

Escelar Execution – Stage 2

The second stage of the Escelar malware family shares many characteristics with the first stage. Both samples make use of direct Microsoft SQL connections, as well as encryption of important strings within the binary. They’re also both written in .NET and are often obfuscated.

This sample is once again another downloader, grabbing a raw binary image from a remote Microsoft SQL server and storing it to the following path:

%TEMP%\\JO[Computer Name][Computer Virtual Memory].exe

Figure 9. Stored image in Microsoft SQL server

Finally, the malware is executed via a call to Interaction.Shell().

Escelar Execution – Stage 3

The third stage of the malware contains the banking Trojan itself. Once again this binary is written in .NET and makes direct connections to Microsoft SQL servers. It begins by droppingJCS.Components.NeroBar.dll in the Startup folder. This DLL is used to generate progress bars and is used when the attacker chooses to generate a ‘blocker’ on the victim’s banking webpage, which we discuss later in this section.

The malware proceeds to identify the following DLLs, which are used by various Brazilian banks to prevent malicious activity. The identifier is stored in the Microsoft SQL database in order to alert the attacker as to what plugins are installed.

File	Identifier
%ProgramFiles%\\GbPlugin\\gbieh.dll	B.B
%ProgramFiles%\\GbPlugin\\gbiehcef.dll	C.E.F
%ProgramFiles%\\GbPlugin\\gbiehuni.dll	I.T.A
%ProgramFiles%\\GbPlugin\\gbiehabn.dll	S.A.N.T.A
%ProgramFiles%\\GbPlugin\\gbiehscd.dll	S.I.C.R.E.D
%ProgramFiles%\\Scpad\\scpLIB.dll	B.R.A.D.A

The IdPC identifier in the following image is made up of the following data.

• Computer Name
• Processor ID
• HD Serial
• Physical Memory
• Virtual Memory

Figure 10. Victim infections of Escelar listed in the Database

The malware monitors the victim’s browser activity. In the event they user attempts to navigate to one of the following Brazilian banking websites, the malware takes action.

• https://internetbanking.caixa.gov.br/SIIBC/index.processa
• http://www.bradesco.com.br/
• http://www.bb.com.br/
• https://www.itau.com.br/
• https://www.santander.com.br
• https://www.sicredi.com.br
• http://www.hsbc.com.br/1/2/br/para-sua-empresa

Should the victim try to open any of these banking websites in a browser other than Internet Explorer, the malware will generate a false error, close the current browser, and re-open the link in Internet Explorer.

Figure 11. False error displayed to the victim when viewing a targeted page in Google Chrome

The attacker has the ability to send a number of different commands in the ‘fun’ column of the Microsoft SQL server.

Figure 12. Commands being sent to victims

Escalar can accept the commands show below (with their translations).

Command	Translation
xclick	click
xclick2	click 2
xtexto	text
xtextopost	text post
xtexto2	text 2
xtextopost2	text post 2
xtexto3	text 3
xtextopost3	text post 3
xmultiplotexto	multiple text
xBloq	locked
xdesbloq	unlocked
xAss1	unknown
xAss2	unknown
xreiniciar	reset
xapagartexto	delete text
xsetacima	up arrow
xsetabaixo	down arrow
xtab	tab
xtab2	tab 2
xcenter	center
xcenter2	center 2
xfecharie	ie close
xsenhacert	cert password
xtoken	token
xcelular	cell

These commands allow the attacker to manipulate a victim’s banking web session and perform fraudulent transactions among other functions.

The following screenshot shows an image that is used by the malware in order to trick victims into entering the unique authentication code sent by banks to the victim’s cellular telephone. This data is uploaded to the attackers in order to conduct fraudulent transactions.

Figure 13. Escelar tricking a victim into entering the authentication code sent to their cell phone

The following screenshot shows examples of an attacker blocking a victim’s banking web session in Internet Explorer.

Figure 14. Blocking of victim’s banking web session

These pages are specific to the bank the victim is using, as we can see in the following second example.

Figure 15. Blocking of victim’s banking web session

E-mail Harvesting and Spreading

Escelar includes a component that is responsible for harvesting credentials from the following web services.

• Gmail
• Hotmail
• Webmail (any website containing the string “webmail” in the URL)

These credentials are stored in a remote Microsoft SQL server. The harvested email credentials are then used by the attackers to send additional e-mails containing Escelar. The total sum of emails in the database displayed below indicated that 3,057 emails had been sent from these addresses. The SQL server keeps track of the number of emails sent by each email address.

Figure 16. Table containing email addresses and tallies of spam emails sent

By harvesting email credentials from Escelar victims, the malware authors are able to further propagate Escelar in the event a portion of the email senders are blocked.

Conclusion

The Escelar threat has been active for approximately seven months, targeting primarily Brazil- and US-based users. We have collected over 600 variants of to date, with roughly 100,000 attempted infections. The malware provides the attacker with multiple capabilities, including the ability to harvest email credentials and manipulate banking transaction sessions. Additionally, due to the way the malware is architected, it can easily update itself, along with the infrastructure supporting it.

Users located in Brazil and the United States that use Brazilian banking services should be aware of this threat and take necessary precautions against it, such as ensuring that suspicious emails are not opened.

Palo Alto Networks customers who are using the WildFire service are protected against this threat. Users who are using Traps with WildFire integration are protected as well. Organizations should monitor their networks for unexpected outbound Microsoft SQL traffic (App-ID mssql) that may indicate an Escalar infection.

For a list of SHA256 hashes of identified instances of Escelar and identified Microsoft SQL server domains being used by Escelar, please refer to this link.

Josh Grunzweig

[Palo Alto Networks Blog]