Full Report
Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.
Analysis Summary
# Tool/Technique: Eternidade Stealer
## Overview
Eternidade Stealer is a newly identified banking Trojan distributed through a campaign that utilizes WhatsApp hijacking and social engineering lures. The campaign employs custom tools and techniques, including dynamic C2 retrieval via IMAP and geofencing to target victims, primarily in Brazil.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Likely Windows (implied by VBS usage and general malware trends, specific platform not explicitly detailed for the final payload execution, but VBS scripts run on Windows)
- Capabilities: Stealing banking credentials, cryptocurrency wallets, and session cookies across multiple applications; complex C2 communication.
- First Seen: Undetermined from the provided text, but recently identified by Trustwave SpiderLabs.
## MITRE ATT&CK Mapping
Based on the nature of a banking Trojan and the distribution methods mentioned:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivered via WhatsApp message/lure)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.004 - C2 Communications via IMAP (Utilized for dynamic C2 retrieval)
## Functionality
### Core Capabilities
* **Banking Trojan Functionality:** Designed to steal sensitive financial information, including banking credentials and potential cryptocurrency assets.
* **Information Theft:** Capable of stealing session cookies, suggesting data exfiltration from various installed applications.
* **Malware Distribution:** Uses social engineering via WhatsApp messaging to trick users into executing malicious files.
### Advanced Features
* **Dynamic C2 Retrieval:** Employs an IMAP-based mechanism to dynamically retrieve Command and Control (C2) information, making static blocking more difficult.
* **Geofencing:** Implements checks to specifically target victims located in Brazil, suggesting region-specific targeting goals.
* **Use of Custom Scripts:** Utilizes custom tools like `Whats.py` and VBS (Visual Basic Script) files for initial execution and setup, alongside an installer (`.msi`).
* **IP Allow List:** The redirector system possesses a configuration feature to define a list of IP addresses that are always allowed to connect, bypassing other security checks.
## Indicators of Compromise
- File Hashes:
- VBS: `e1779d9810ad39a45759c856cc85f1148a8f6601`, `e3e24d57163e04ac16a93a698d4c8051473bccb4`
- Whats.py: `8f3b5a0cecd4d50fc6eb52a627fe6a9179e71736`, `167cc2d716bfebc440f14ff1affe7f99b8556f2e`
- Payload (Final stage): `db5545b6136f1197fd5234695cdeff285a99208e`, `3944933d662f4e96d43750aa29bd287685c6007`
- File Names: `installer.msi`
- Registry Keys: Not specified.
- Network Indicators:
- Domains: `varegjopeaks[.]com`, `centrogauchodabahia123[.]com`, `itrexmssl[.]com`, `alentodolcevitad[.]com`, `miportuarios[.]com`, `mazdafinancialsevrices[.]com`, `adilsonralfadvocaciad[.]com`, `domimoveis1[.]com[.]br`, `serverseistemasatu[.]com`
- IPs: `103.84.176[.]107`, `104.21.48[.]41`, `162.120.71[.]56`, `185.169.234[.]139`, `83.229.17[.]71`, `140.99.164[.]172`, `174.138.187[.]2`
- Behavioral Indicators: Execution chains involving VBScript launching subsequent stages, network communication utilizing IMAP protocol for C2 configuration retrieval.
## Associated Threat Actors
- Not explicitly named in the provided context, referred to only as the "threat group" using these tools.
## Detection Methods
- Signature-based detection: Using the provided MD5/SHA hashes against endpoint files.
- Behavioral detection: Monitoring unexpected execution of VBS scripts or the downloading/execution of `.msi` files from untrusted origins, especially following communication via messaging applications. Monitoring network traffic for IMAP connections originating from potentially malicious processes that are not standard email clients.
- YARA rules: Not available in the summary.
## Mitigation Strategies
- **User Education:** Enhance user awareness regarding suspicious links and files received via WhatsApp (social engineering countermeasures).
- **Application Control:** Restrict the execution of potentially dangerous file types like VBScript from non-standard locations.
- **Network Monitoring:** Inspect outbound traffic for unusual C2 communication patterns, specifically monitoring for IMAP usage by non-standard applications.
- **Geographic Filtering:** Implement controls or monitoring specifically related to traffic originating from or targeting Brazilian infrastructure, if that is the primary concern.
## Related Tools/Techniques
- WhatsApp hijacking/social engineering as a delivery mechanism (common in numerous campaigns).
- Use of VBS or Python scripts (`Whats.py`) as droppers/loaders.
- Use of IMAP for dynamic configuration retrieval (a more advanced C2 technique).