Keypoints
- Initial vector: malicious PDF contains an embedded downloader (shortened via goo.su) that redirects to a ZIP hosted on webattach.mail.yandex.net.
- ZIP decompresses to an MSI installer (Notafiscal… .msi) that drops a legitimate executable (Lightshot.exe) and a malicious DLL (Lightshot.dll).
- Execution uses DLL side-loading: Lightshot.exe loads Lightshot.dll to run the banking trojan code stealthily.
- Persistence is achieved by adding a Run registry value “Lightshot” under HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun.
- Runtime actions include creating a hex-based log file, geo-checking victims (targets Brazil), monitoring the foreground window, keylogging, blocking the screen, showing deceptive pop-ups, and stealing banking/crypto credentials.
- Command-and-control and data exfiltration occur over HTTP(S) to multiple C2 hosts (e.g., 64.225.32.24, comunidadebet20102.hopto.org, mariashow.ddns.net) with stolen data uploaded to bank-specific paths.
- An older variant embeds the payload in a Delphi executable RCData section and uses Add-MpPreference –ExclusionPath to exclude its folder from Windows Defender scans.
MITRE Techniques
- [T1204.002] Malicious File – A crafted PDF is used to lure the user and deliver the downloader (‘…employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK.’).
- [T1105] Ingress Tool Transfer – The PDF triggers a download of a ZIP and MSI installer from a redirected URL (‘…the PDF downloading a ZIP file… hxxps://webattach.mail.yandex.net/… .zip’).
- [T1574.002] DLL Side-Loading – The legitimate Lightshot.exe is used to load and execute the malicious Lightshot.dll (‘…utilizing DLL side-loading techniques to execute the final malware.’).
- [T1547.001] Registry Run Keys / Startup Folder – The malware adds a registry value “Lightshot” to achieve persistence at user logon (‘…adds a registry value named “Lightshot” to “HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun”’).
- [T1056.001] Input Capture: Keylogging – The trojan logs keystrokes to capture credentials (‘…log keystrokes…’).
- [T1071.001] Application Layer Protocol: Web Protocols – The malware communicates with C2 servers over HTTP for check-ins and data upload (‘…sends an HTTP request to hxxp://64[.]225[.]32[.]24/shn/inspecionando.php.’).
- [T1041] Exfiltration Over C2 Channel – Stolen account data and system info are sent via HTTP POSTs to C2 paths (e.g., InfoDados parameter) (‘…transmits a POST request containing essential system details and configures the account information within the “InfoDados” parameter.’).
Indicators of Compromise
- [IP] C2/check-in server – 64[.]225[.]32[.]24
- [URLs] Download redirect and ZIP – hxxps://goo[.]su/FTD9owO, hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip
- [Hostnames] C2 and upload hosts – comunidadebet20102[.]hopto[.]org, mariashow[.]ddns[.]net
- [File names] Installer and malicious DLL/exe – NotafiscalGFGJKHKHGUURTURTF345.msi, Lightshot.exe, Lightshot.dll
- [File hashes] Sample payload hashes – 51512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4, 48c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028 (and 5 more hashes)
Fortinet’s analysis shows the technical flow: a malicious PDF embeds a shortened downloader (goo.su) that redirects to a ZIP on webattach.mail.yandex.net. The ZIP contains an MSI installer which extracts a benign-seeming executable (Lightshot.exe), configuration files, and a suspiciously newer DLL (Lightshot.dll); the installer places these under %AppData% (e.g., %AppData%Skillbrainslightshot5.5.0.7) and configures execution.
Execution leverages DLL side-loading: Lightshot.exe is used to load Lightshot.dll, which performs environment discovery (GetVolumeInformationW to build a hex ID and log file), creates persistence by adding the “Lightshot” Run registry value, and checks in to HTTP C2 endpoints (e.g., hxxp://64[.]225[.]32[.]24/shn/inspecionando.php). The malware performs geo-checks (targeting Brazil), monitors the foreground window via GetForegroundWindow/GetWindowTextW to detect bank-related windows, and supports operator actions such as screen blocking, keylogging, and deceptive pop-up injection to capture credentials.
Captured credentials and system info are packaged into HTTP POST requests (InfoDados parameter) and uploaded to different C2 paths depending on the target (for example, “04/M/” for Mercado Bitcoin). An older CHAVECLOAK variant used a Delphi executable with the payload embedded in RCData and employed Add-MpPreference –ExclusionPath to exclude its folder from Windows Defender, illustrating both delivery and defense-evasion variations across samples.