Security researchers uncovered that a series of ongoing attacks using the EngineBox malware are targeting financial institutions in Brazil. The hackers use malicious spam messages to fool the companies into infecting their hosts with the dangerous threat.
How EngineBox Malware Infects Its Victims
The Enginebox malware infects mainly via email messages that utilize social engineering tricks. The so-called “phishing e-mail” scheme involves the coordination of template-based messages that are sent to employees of the financial institutions. If they interact with any embedded links or file attachments a script is activated which downloads the virus instance to their local computer.
The analysts discovered that in the case of Enginebox malware this is done using a VBS script which downloads another script from a hacker-controlled site. This launches a predefined set of commands that lead to the actual infection. This several steps long infection route is designed to confuse anti-virus solutions in case they start to trace the scripts. Using this bounce-type attack certain scanning engines can be bypassed.
The hackers attempt to raise the privileges of the downloaded file by using an exploit known as MS16-032 which works with virtually all modern versions of the Microsoft Windows operating system. The criminals use this old security issue that uses an error in the way the Secondary Logon service handles requests.
EngineBox Malware Capabilities
The cyber security analysts that uncovered the EngineBox malware have been able to make an in-depth investigation into the threat’s infection flow. It has been found that it is encapsulated in several encrypted layers. This means that most of the anti-virus solutions may not be able to identify incoming or active infections. Once the victims download the binary file to their computer the virus engine is started.
At the moment the hacker or criminal collective behind it is targeting the biggest Brazilian financial institutions which includes both private and public banks. No information is available on the identity of the developer or hackers that are using it. It is possible that the malware has been developed by them from scratch.
As a result of the infection the Enginebox malware is able to infect the computers with an array of virus modules. One of the main components of the threat is its browser hijacker function. This part of the code is designed to infiltrate the most popular web browsers, including: Mozilla Firefox, Safari, Internet Explorer, Google Chrome, Microsoft Edge or Opera. This is done in order to redirect the users into a hacker-defined address. Usually important settings are changed in order to reflect this change: the default home page, new tabs page or search engine.
The criminals behind the hijacker components have devised them in a way that effectively extract private information. The list includes stored cookies, bookmarks, history, settings, passwords, form data and account credentials. All of this is relayed to the hackers via a secure connection.
The Enginebox malware is also capable of infiltrating other client programs such as FTP clients and remote desktop software. As the virus targets corporate networks it is very likely that the criminals can obtain credentials to critical infrastructure and databases.
Once the infections have been performed on the target machines the malware engine establishes a network connection with the hackers to inform them of the succesful infiltration. The following activities are performed:
- The EngineBox malware harvests sensitive system information. This includes hardware components, software information and list of running processes. Depending on the configuration of the instances the virus can stop certain programs, change Windows settings or indulge into other related actions.
- Modification of essential settings can be done through the Windows registry, predefined commands or other means.
- EngineBox has been found to institute a backdoor instance which allows the hackers to take over control of the computers. When this is done the criminals have an always-on option of spying on the users activities. They may use a keylogger to steal passwords from all kinds of web services ‒ from emails to online banking.
- Enginebox malware can be used to hack into other network computers by using the same hard-coded exploit code.
- The hackers behind the infected machines to institute additional malware on them.
EngineBox Malware Banking Attacks
One of the features associated with this virus is that it is able to effectively harvest credentials from online banking services. This is done by utilizing several methods. One of them relies on the ability to monitor victim actions associated with a predefined list of sites. Every time a site from the list is accessed the virus actively starts to look for patterns related to username and password combinations.
The discovered samples are able to set up a local proxy server that redirects all traffic to a hacker-controlled C&C site. Several of the collected samples showcase that the malware is controlled via an IRC channel. This provides a very flexible way for the criminal operators to instruct the machines and receive the data.
Such behavior allows the criminal operators to rent out the infected machines or harvest large databases of information. The experts rate the attack as severe as the viruses are meant for corporations and not regular end users. The EngineBox malware is made in such a way that bypasses security systems. This turns it into a very effective weapon in the hands of a criminal collective.
Computer users can protect themselves from potential intrusions and remove active infections by employing a quality anti-spyware solution.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter