Banking Trojan Exploits Chain of Trust to Deceive Security Tools

Written by

A fresh iteration of a banking trojan has been uncovered that exploits an authentic VMware binary to deceive security tools into accepting errant activity.

Cisco Talos first uncovered it being used in a campaign specific to Brazil. The bad actors focused on various South American banks in an attempt to steal credentials from users; they found that the code attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques, and the final payload was written in Delphi, which Talos said is quite unique to the banking trojan landscape.

Further analysis showed that the campaign uses spam messages written in Portuguese, purporting to offer a Boleto invoice, which is akin to the PayPal of Brazil. The invoice is of course a malicious file that kickstarts a process that ends with the installation of the banking Trojan.

“Java code sets up the malware and establishes a link to a remote server to download a range of supplementary files,” IBM explained in a blog taking a closer look at the campaign. “The code then renames the previously downloaded binaries and starts a genuine binary from VMware with a digital signature. This legitimate binary, known as vm.png, fools security programs into trusting the subsequent activities of the trojan.”

What’s really notable is that the cyber-criminals are exploiting a chain of trust.

“If an initial binary, such as vm.png, is accepted, then it is assumed that subsequent libraries will also be trustworthy. Fraudsters can use this strategy to bypass security checks,” it explained. “In the case of this newly identified banking trojan, the executed binary includes a dependency known as vmwarebase.dll. This dependency is a malicious file that allows the injection of prs.png code across explorer.exe or notepad.exe.”

The Talos team reported that one of the other binaries the Trojan uses is packed with the software protection tool Themida, which makes it tricky for experts to unpack the threat.

“Banking trojans continue to form part of the threat landscape, they continually evolve and also can, like this specific example, be very specific to the region they are attacking,” Talos researchers said. “This often doesn't suggest the attackers are from that region but they have decided that there is perhaps less security conscious users living there. Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.”

Overall, the latest threat represents a fresh attack vector, IBM said: “IT managers should add this risk to an ever-growing list of malware dangers and be sure to follow security best practices for protection. These practices include cautiously opening links and attachments, not downloading files from unfamiliar websites and installing antivirus software.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

What’s hot on Infosecurity Magazine?