Full Report
Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.
Analysis Summary
# Tool/Technique: Eternidade Stealer
## Overview
Eternidade Stealer is a newly identified banking Trojan distributed via WhatsApp hijacking and social engineering lures. The campaign features dynamic Command and Control (C2) retrieval using IMAP and geofencing to specifically target victims in Brazil.
## Technical Details
- Type: Malware (Banking Trojan)
- Platform: Undisclosed, but implied Windows given common VBS/MSI distribution, and WhatsApp interaction suggests desktop execution environment.
- Capabilities: Stealing information, C2 communication via dynamic retrieval (IMAP), evasion, and geofencing.
- First Seen: Not specified in detail, but recently identified by Trustwave SpiderLabs researchers.
## MITRE ATT&CK Mapping
Due to the limited technical description of the malware's execution flow, specific mappings are inferred based on its classification as a Stealer distributed via social engineering:
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via delivery through WhatsApp lure)
- T1204 - User Execution
- T1204.002 - Malicious File
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied by "improved evasion techniques")
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.004 - IMAP (Explicitly mentioned for dynamic C2 retrieval)
## Functionality
### Core Capabilities
- Banking Trojan functionality (implied by name).
- Distribution via WhatsApp hijacking and social engineering.
- Execution chain appears to involve VBS scripts and MSI installers based on IOCs.
### Advanced Features
- Dynamic C2 Retrieval: Utilizes IMAP for retrieving C2 information dynamically, suggesting resilience against static blocklisting.
- Geofencing: Features environmental checks, specifically designed to target victims located in Brazil.
- Improved Evasion Techniques: Incorporates methods to bypass security checks.
- IP Allow List: The associated Redirector System allows for an explicit list of IP addresses to be whitelisted, bypassing other checks.
## Indicators of Compromise (IOCs)
- File Hashes:
- VBS: `e1779d9810ad39a45759c856cc85f1148a8f6601`, `e3e24d57163e04ac16a93a698d4c8051473bccb4`
- Whats.py: `8f3b5a0cecd4d50fc6eb52a627fe6a9179e71736`, `167cc2d716bfebc440f14ff1affe7f99b8556f2e`
- Payload: `db5545b6136f1197fd5234695cdeff285a99208e`, `03944933d662f4e96d43750aa29bd287685c6007`
- File Names: `installer.msi` (inferred from C2 content)
- Registry Keys: Not specified.
- Network Indicators:
- Domains: `varegjopeaks[.]com`, `centrogauchodabahia123[.]com`, `itrexmssl[.]com`, `alentodolcevitad[.]com`, `miportuarios[.]com`, `mazdafinancialsevrices[.]com`, `adilsonralfadvocaciad[.]com`, `domimoveis1[.]com[.]br`, `serverseistemasatu[.]com`
- IPs: `104.21.48[.]41`, `162.120.71[.]56`, `185.169.234[.]139`, `83.229.17[.]71`, `140.99.164[.]172`, `174.138.187[.]2`
- Behavioral Indicators: Execution of VBS scripts (`teste_obscado.vbs`), Python scripts (`whats.py`), delivery via WhatsApp messaging.
## Associated Threat Actors
- Not explicitly named, referred to as the "threat group" behind the campaign.
## Detection Methods
- Signature-based detection: Using provided file hashes.
- Behavioral detection: Monitoring for initial execution behaviors involving VBS or Python scripts originating from untrusted file execution chains (e.g., linked to WhatsApp delivery).
- YARA rules: Not specified.
## Mitigation Strategies
- Remain vigilant for suspicious WhatsApp activity, especially unsolicited communication demanding file execution.
- Configure security tools to block or scrutinize suspicious file types delivered via messaging applications (MSI, VBS).
- Implement robust network monitoring to detect C2 beaconing using IMAP protocols to unknown destinations.
- Apply Geofencing/Geo-blocking rules if targeting is exclusively regional (Brazil).
## Related Tools/Techniques
- WhatsApp Hijacking/Lures: A common social engineering vector leveraged by various threat actors.
- Redirector System: Implied infrastructure used to serve payloads and potentially managing C2 configuration, which has an internal IP allow-list feature.