Attacking Banks – Encrypted Strings and Local Content InjectionMay 19, 2008 – 7:29 PM
We have been noticing quite a few binaries lately that target Brazilian banks. While most tend to have the same behavior, we found a particular piece that actually encrypted most of its strings to slow down analysis. In this blog we analyze the decryption routine and write a decryption algorithm, as well as note some other general ways to automate dumping of encrypted strings and their associated plaintext. In addition to this technical dive, we also touch on other interesting behaviors of this particular malware, including its ability to detect the presence of G-Buster Browser Defense, a security solution offered by some Brazilian banks, such as Caixa Economica Federal.
Decrypting the Strings
The executable was packed with Themida, a commercial protection offered by Oreans Technologies. Because no trial splash screen appeared on execution, it is assumed the malware author probably used a pirated copy to protect the executable.