Since December 5, CyRadar has recorded an APT campaign targeting local and foreign banking institutions. The campaign starts with an .doc text file by email, impersonating the SWIFT message (Society for Worldwide Interbank Financial Telecommunication).

Malicious code is a text file impersonating SWIFT message.

When users are tricked into opening files and turning on macros in the text file, the embedded malicious code silently downloads a  backdoor and automatically executes them. It is responsible for connecting and receiving encrypted data from the control server, after receiving data it decrypts and loads the data into the final memory, executing the corresponding malicious behaviors.

Diagram of malicious behavior.

At the time of analysis, the malicious code retrieves the encrypted data at URL hxxps://remainsproperty[.]com/yadjuzaurhedyo, after the decryption process, the analyzer finds that this is a .DLL file that has the behavior of connecting and receiving data from the control server, and then executes arbitrary malicious code from the server down.

It can be seen as a malicious code because malicious code is not packaged into a file as the usual code but receives data encrypted from the control server then decrypted and executable on the memory. This will make the antivirus software difficult to detect.

If you are a bank employee, take great care before opening a text file that is sent to you without really understanding the reason for its appearance, especially in these days, when the world is recording a massive offensive campaign targeting banks and financial institutions.

IoC (Indicators of Compromise)

System administrators, especially Banks and Financial Institutions, need to quickly check for any possible connections to this malicious domain/IP, as well as to look for hash files as follows:



Below is an analysis of malicious code attacks on a number of domestic and foreign banks.

1. doc file information

Size : 369kb Hash : e277cbd086713223cde6167393c434a442f3a16e Type : Doc

Text is embedded malicious macro, after the victim enables macro feature, the VBS code is enabled to do malicious behavior. VBS code acts to execute powershell scripts.

Malicious codes run powershell scripts.
Powershell Code after decryption.

Malicious scripts do the job of downloading the file at URL hxxps://unistreamcloud[.]com/storage/doc/lsm.exe and then saving it to the% temp% directory with the name aeibxup0.exe then executing.

2. File aeibxup0.exe

Size: 235.5 KB Hash: b9f4d4ac5ab8b4137b7f0943de03d4f0164deb9f Type : PE file

The malicious code that connects to C2 receives data from a malicious server, then decrypts it, and then executes the malicious code on the memory.

Malicious code decrypts data.

After executing the decrypted dump we get a DLL file with the following behavioral information:

Malicious code decodes the domain and then connects to the control server.

Malicious code connects and sends request.
The malicious code connects to the server
Connection behavior in debugger.

The malicious code sends a request to receive commands from the control server.

Malicious code send command request.

Malicious code reads data from the control server then decrypts and then loads the decrypted data to the executable memory.

The malicious code receives data from the server.

The code created the memory entitled to execute.

Create the memory entitled to execute.

The malicious code creates thread for another malicious behavior from the control server

Malicious code creates malicious threads

At the time of analysis, the control server did not return any other malicious data, so the official behaviors in the attack on the banks were not clear.

Conclusion: This type of malware is dangerous and sophisticated because the malicious behavior is completely stored on the server control and only executable on the memory, reducing the detection capabilities of the anti-virus software.


Truong Gang  – CyRadar Team

Related posts: