The popularity of cybercrime in Brazil has been growing steadily during recent years, and has come to a peak with Client Maximus - a piece of financial malware and a RAT that was discovered at the end of August this year, gaining traction among cybercriminals in Latin America. Gone are the days when 'Brazilian banking trojan' was a synonym for clumsy low-end Delphi code. After setting the new technical standard for Brazil's financial malwares, the latest version of Client Maximus manages to do it again. In this talk I will familiarize the audience with this very impressive, yet little known malware, and focus on its unique deployment method.
We shall explore the impressively complex, multi-staged method with which it protects the malicious payload and deploys it upon infection. Jumping between PowerShell, VBScript and .NET code, Client Maximus decodes and decrypts multiple scripts and assemblies that are carefully orchestrated in order for it to stay as stealthy as possible. Using advanced .NET code hiding techniques, it dynamically loads pre-compiled C# code which is invisible to your everyday reflector, as we will explore in depth.
At its final stage, just before the malicious payload is executed, Client Maximus utilizes an extremely powerful public PowerShell project that practically replaces Windows Loader functionality with its own. It injects a Dynamic Load Library (DLL) into a remote process by parsing the Portable Executable (PE) header of the malicious DLL, analysing its dependencies, and injecting them one by one into the remote process, which was an innocent process up to this point. Finally, the payload is executed and the end-point is infected with the newest Client Maximus.