Hello, welcome to the Wednesday, August 30th, 2017 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Now, Renato found another piece of banking malware that's implemented as a Google Chrome extension.

While the earlier one that he found sort of a week ago, it was

advertised via phone calls, this one arrives more typically in an email. Now, the way they sort of

get people to actually click on the email is by claiming that it is a termination notice from their employer.

The initial email actually looks very much like a lot of other malicious emails that are

being received these days. It's a SIPD Visual Basic script. And that may be why they're

flying a little bit under the radar because these kind of

SIPD Visual Basic scripts are so common, it's hard to analyze them all.

Now the other sort of little twist here is that the downloader that's implemented with this

visual basic script does already detect whether it's running on a virtual machine.

Typically I've seen this being done

later down the row in the infection chain. If you are a virtual machine, then all you get

back is a non-malicious JPEG file. However, if you are not running in a virtual

machine, then further malware will be downloaded that will then

install the Chrome extension. Once it is installed, this extension that calls itself ID key store

will monitor all network connections that are established with Chrome and exfiltrate authentication data.

Now, Renato lives in Brazil and the particular Malaray that he looked also had a very specific

Brazilian feature in that it intercepted what they call bolitos.

That's a compensation ticket that you issue to customers.

So if someone is issuing one of those tickets, which is really just a barcode, it will send

...