Mnubot Banking Trojan Used in Attacks on Brazilian Firms

A new banking Trojan – MnuBot – has been detected by IBM X-Force researchers which uses an unusual method of communication. Instead of using a command and control server like most other malware families, MnuBot uses Microsoft SQL Server to receive its initial configuration and for communication.

The MnuBot banking Trojan is being used in targeted attacks in Brazil and its primary function is to make fraudulent bank transfers via users’ open banking sessions. MnuBot uses full-screen social engineering overlay forms which hide the attacker’s activities, allowing them to perform fraudulent bank transfers unbeknown to the user. As information is entered into the overlay form, it is captured and used in the underlying open banking session.

The exact method of distribution of the malware is not known, although X-Force researchers explain that most banking Trojans used in Brazil are distributed via email.

X-Force researchers explained that the malware has the typical features of a remote access Trojan (RAT) and gives the attacker full control of an infected device.

By using the Microsoft SQL Database server for communication and to receive commands, the communications are harder to detect that standards C2C communications.

This is a two-stage malware variant that uses two base components for attacks. Initially, MnuBot searches for a file called Desk.txt in the AppData Roaming folder. MnuBot uses this file to determine which desktop is running. If the file is not present, it is created by the malware and the user is switched to the newly created desktop. That desktop runs side by side with the legitimate desktop.

The malware then checks for window names similar to the bank names in its configuration file. When one is identified, it queries the server for the second stage of the attack based on the bank that is being used. An executable – Neon.exe – is then downloaded to the C:\Users\Public\ folder. It is this executable that performs the main attack, giving the attacker full control of the infected device.

The malware can take screenshots of the browser and desktop, logs keystrokes, simulates user clicks and keystrokes, creates bank overlay forms, and can restart an infected machine. By using overlay forms the attackers can capture data and enter the information into the open banking session. If further information is needed in order to perform a transfer, the malware can create another overlay form to request the necessary information.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of