CHAVECLOAK is a sophisticated Windows banking trojan focused on Brazil’s financial sector, capable of credential harvesting, keystroke logging, and C2 communications. It uses multi-stage delivery via deceptive PDFs and MSI installers with persistence and targeted geo-footprinting. #CHAVECLOAK #MercadoBitcoin
Keypoints
- CHAVECLOAK targets Windows users in Brazil, aiming to steal financial information and perform unauthorized device control.
- The attack starts with a deceptive PDF containing a hidden downloader link, leading to a ZIP payload via a shortened URL.
- The payload is executed using DLL side-loading, enabling stealthy installation and system integration.
- It establishes persistence by modifying the registry and collecting system information to survive reboots.
- The malware monitors banking activity using APIs (GetForegroundWindow/GetWindowTextW), intercepts data, logs keystrokes, blocks screens, and shows fake prompts to harvest credentials, including crypto exchanges like Mercado Bitcoin.
- Communications with C2 servers occur over HTTP (e.g., specific URLs and domains), with data directed to targeted directories based on the victim’s bank.
MITRE Techniques
- [T1566.001] Phishing: Attachment – The trojan begins its infiltration by using a deceptive PDF file containing a hidden downloader link. ‘The trojan begins its infiltration by using a deceptive PDF file containing a hidden downloader link.’
- [T1574.002] DLL Side-Loading – The payload is then executed using DLL side-loading techniques, enabling the malware to integrate into the system without detection. ‘The payload is then executed using DLL side-loading techniques, enabling the malware to integrate into the system without detection.’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – establishes persistence within the system through registry modifications. ‘establishes persistence within the system through registry modifications.’
- [T1113] Screen Capture – Regular window checks through GetForegroundWindow and GetWindowTextW APIs enable the trojan to intercept bank-related activities, harvesting credentials by freezing screens, capturing keystrokes, and presenting misleading pop-ups. ‘Regular window checks through “GetForegroundWindow” and “GetWindowTextW” APIs enable the trojan to intercept bank-related activities, harvesting credentials by freezing screens, capturing keystrokes, and presenting misleading pop-ups.’
- [T1056.001] Keylogging – It logs keystrokes to capture login credentials. ‘log keystrokes’
- [T1071.001] Web Protocols – The trojan communicates with its C2 server over HTTP. ‘establishes communication with its Command and Control (C2) server.’
- [T1562.001] Impair Defenses – It uses a PowerShell command to remove the payload path from being scanned by Windows Defender. ‘PowerShell command to remove the payload path from being scanned by Windows Defender.’
Indicators of Compromise
- [Domain] comunidadebet20102.hopto.org – C2 domain used by CHAVECLOAK
- [IP Address] 64.225.32.24 – C2 server IP referenced in the communications flow
- [URL] hxxp://64[.]225[.]32[.]24/shn/inspecionando.php – check-in URL used by the loader
- [URL] hxxp://comunidadebet20102[.]hopto[.]org – C2 domain for data exfiltration
- [File] NotafiscalGFGJKHKHGUURTURTF345.msi – MSI installer that triggers the next phase
- [File] Lightshot.dll – DLL used in the loader/payload execution
- [Directory] C:Program Files (x86)Editor-GH-[HEX ID]Editor-[HEX ID].exe – Payload directory path
- [Directory] %AppData%Skillbrainslightshot5.5.0.7 – Extracted files directory
- [Directory] 04/M/ – Example upload directory for Mercado Bitcoin-related data
Read more: https://socradar.io/chavecloak-cyber-threat-to-brazils-financial-security/