Mnubot Banking Trojan Utilized Attacks on Brazilian Companies

A new banking Trojan – MnuBot – has been detected by IBM X-Force researchers which uses an unusual method of communication. Instead of using a command and control server like most other malware families, MnuBot uses Microsoft SQL Server to receive its initial configuration and for communication.
The MnuBot banking Trojan is being utilized in targeted attacks in Brazil and its main job is to make fake bank transfers through users’ open banking periods. MnuBot utilizes full-screen social engineering overlay forms which conceal the attacker’s actions, letting them carry out fake bank transfers unknown to the user. Since information is entered into the overlay form, it is captured and utilized in the underlying open banking period.
The exact method of distribution of the malware is not known, although X-Force researchers explain that most banking Trojans used in Brazil are distributed via email.
X-Force scientists clarified that the malware has the usual characteristics of a remote access Trojan (RAT) and provides the attacker complete control of an infected appliance.
By using the Microsoft SQL Database server for communication and to receive commands, the communications are harder to detect that standards C2C communications.
This is a two-stage malware variation that utilizes two base parts for attacks. Firstly, MnuBot hunts for a file known as Desk.txt in the AppData Roaming folder. MnuBot utilizes this file to establish which desktop is operating. If the file isn’t present, it is generated by the malevolent program and the user is shifted to the newly generated desktop. That desktop operates side by side with the genuine desktop.
The malware then checks for window names similar to the bank names in its configuration file. When one is identified, it queries the server for the second stage of the attack based on the bank that is being used. An executable – Neon.exe – is then downloaded to the C:UsersPublic folder. It is this executable that performs the main attack, giving the attacker full control of the infected device.
The malevolent program can take screenshots of the browser as well as desktop, logs keystrokes, mimics user clicks and keystrokes, generates bank overlay forms, and can restart an infected machine. By utilizing overlay forms the attackers can take data and insert the information into the open banking period. If additional information is required in order to carry out a transfer, the malevolent program can generate another overlay form to request the needed information.