Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula

Researchers have observed a new campaign by the banking Trojan Ousaban, which is actively targeting users in Spain and Portugal. This malware, previously known for its activity in Brazil, is being distributed via a sophisticated phishing scheme that employs geofencing and environmental checks to limit its reach.
The attack begins with a phishing PDF file disguised as corrupted data. This PDF contains deceptive messages prompting users to update the file, leading them to a malicious webpage. The PDF also incorporates JavaScript, which is hex-escaped to evade detection, to display an error message and direct the user to this same webpage.

The malicious webpage acts as a gatekeeper, masquerading as a source for tax documents or system installers. It performs rigorous checks on the user's environment, including IP address, device data, language, and time zone, to ensure the target is within Spain or Portugal. To further prevent circumvention, the page also blocks VPN IP addresses and employs anti-analysis techniques to identify and block automated tools like sandboxes and crawlers by examining browser characteristics.
If a user passes these environmental checks, the webpage downloads a VBS file. This script then downloads a steganographic image that appears to be a PDF icon. The VBS script extracts a ZIP file from this image, which contains the Ousaban payload. Both the image and the ZIP archive are placed in the temporary folder, and the payload is dropped to a specific directory on the victim's system. The script then deletes the temporary files to minimize its footprint.
Once executed, Ousaban establishes persistence by creating a registry value named "Financeiro" (Finance). It also creates an empty file named "maisum.dat," using its creation time as an installation timestamp. The malware then decrypts a list of bank-related strings, which are used to detect when a victim accesses specific banking services. The encryption algorithm used is a custom method common among Latin American banking Trojans, including Casbaneiro.

In this campaign, Ousaban decrypts a Pastebin link that points to configuration data containing a private IP address. However, this Pastebin link appears to be a decoy. The actual command and control (C2) IP address is obtained by resolving a hostname that changes daily. This hostname is part of a dynamically managed domain, with subdomains constructed from a hard-coded string and an MD5 hash derived from a combination of another hard-coded string and the current date. The malware obtains the current date by accessing Google's Automated Queries page.
The communication between Ousaban and the C2 server is largely encrypted using the same custom algorithm. Basic commands include requests for user information, assigning victim IDs, heartbeat signals, screen resolution retrieval, and initiating screenshot capture and remote control capabilities. When the `#Iniciar#` command is received, Ousaban begins capturing screenshots and prepares for further actions like mouse and keyboard control, clipboard injection, keylogging, and generating deceptive messages to trick the victim.
Researchers note that the threat actor is continuously evolving their malware delivery methods. The use of geofencing and environmental checks in this campaign aims to limit exposure to a specific target audience. The reliance on daily changing domains for C2 access and the use of a decoy Pastebin post are further indicators of the actor's efforts to obscure their operations.





