How the Javali trojan weaponizes Avira antivirus
Latin American trojans are on the rise, and Javali is another piece of malware that uses a legitimate binary from Avira AV to load into the memory of the malicious payload.
What is the Javali trojan?
The Javali trojan was first observed by the Kaspersky Team in November 2017 and described later in detail by Segurança-Informática. This piece of malware has increased in volume and sophistication in recent months. As noted in other threats from Latin American, Javali is using similar routines and calls also observed on other trojans, such as Grandoreiro, URSA and Lampion.
As described by Segurança-Informática:
(...) part of these trojan families are using padding to enlarge the binary; empty sections or even BPM images attached as a resource (...). Other trojans use this technique as it allows to evade detection and execute the malicious code on the target machines bypassing detection based on static file signatures.
The researchers said that these trojans are sharing several modules and code, a clear sign of collaboration between the Latin American threat groups. [CLICK IMAGES TO ENLARGE]
Figure 1: High-level diagram of the modus operandi of the most popular Latin American banking trojans.
Javali’s modus operandi
The malicious campaign associated with Javali begins with a common email sent to a large group of users under the radar of the criminal’s gang. The email template impersonates an invoice to lure the victims to open the email and then download the malicious archive.
Figure 2: Malicious template of Javali trojan banker (Portuguese language).
After the download of the zip archive, an MSI file is dropped with a JavaScript payload inside responsible for creating persistence and pushing the next stage from Cloud services including Google, S3 Buckets from AWS, and MediaFire file sharing service. The complete workflow of Javali trojan is presented in Figure 3.
Figure 3: High-level diagram of Javali trojan banker.
Digging into the Avira flaw
As observed above, after downloading the next stage, the trojan is executed by leveraging an Avira binary to load into the memory the final payload (the trojan itself).
The Avira.exe file, a legitimate PE file from the Avira Antivirus firm, is then used as an injector to take advantage of a technique dubbed DLL side-loading and loading into the memory a huge DLL “Avira.OE.NativeCore.dll” (6) as a child of a legitimate Parent Process ID (PPID), Segurança-Informática said.
Figure 4: Javali trojan and all the files used during the infection chain.
In detail, the Avira.exe binary, a legitimate PE file from Avira, is used to load into the memory the spoofed DLL, Avira.OE.NativeCore.dll, by abusing vulnerabilities specifically occurring when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded.
Looking at the Windows native called LoadLibrary() and LoadLibraryEx(), if the path of the target DLL is passed, then the library is only loaded from the specific path, otherwise, the following Windows default DLL search order is used:
- The current process image file directory: the application directory.
- The system directory (e.g. system32 folder).
- The 16-bit system directory.
- The windows directory.
- The current working directory.
- The directories listed in the PATH environment variable.
As detailed in Figure 5 below, the target DLL is loaded from the current process image file directory (option one above), and then processed via the CreateFile() and ReadFile() functions.
Figure 5: Avira.exe injector vulnerable to DLL side-loading attack abused by Javali trojan.
Javali’s capabilities
Javali trojan is a sophisticated piece of malware, and its actions are loaded from Google Docs files, including its configuration, commands to execute and the address of the C2 server. As observed, the commands are encrypted and are then decrypted in run-time using its own algorithm also shared in other Latin American pieces.
Figure 6: Javali configuration obtained from Google Docs.
After obtaining its configuration, it starts by harvesting the target machine to potentially find credentials associated with several Cloud services, email clients and so on.
Figure 7: Part of the victim’s credentials obtained from the C2 server.
At the same time, Javali trojan is monitoring the victim’s web browser and looking for specific banking portals or financial portals. When a new match happens, a new thread is executed and a fake windows overlay is presented.
Figure 8: Javali trojan windows overlay capability.
As observed in other banking trojans, Javali supports several backdoor commands. The capabilities of these commands are:
- Obtaining screenshots with the help of the Windows Magnifying API, imported from Magnification.dll
- Logging keystrokes
- Downloading and executing further payloads
- Restricting access to various banking websites
- Mouse and keyboard simulation
- Blocking the access to several Windows applications during the malware execution (such as task manager)
- Self-updating
- Stealing credentials from several email services and banking/financial portals
Become a certified reverse engineer!
Preventing Javali malware issues
Latin American trojans are a popular family of banking trojans that have made headlines in the last decade. These days there exists a large number of technologies to protect the final user, including tokens, e-tokens, 2FA/MFA mechanisms, PIN cards and more. Nonetheless, online fraud is still a real challenge every day, with criminals using new TTPs to evade antivirus and EDR systems.
There is no effective mitigation action to combat this problem. However, there are some steps to make your system as resilient as possible against malware:
- Ensure that your operating system and software are up to date.
- Use an antivirus engine and updated anti-spam software.
- Do not trust emails from untrusted sources. For this, social engineering training should be taken into account as a good way to educate employees and people in general.
- Back up data and store it outside of the network connection.
- Keep a check on bank access and login activity in your accounts regularly. Always use multi-factor authentication to prevent stolen credentials from being used to access your secrets.
Sources:
The Tetrade, Kaspersky
Javali Trojan, Segurança-Informática
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- How the Javali trojan weaponizes Avira antivirus
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis