IBM X-Force Threat Intelligence has identified a recent malspam campaign targeting Portuguese speakers to deliver a VMProtected Ousaban Stealer. Ousaban is a banking trojan mainly targeting users of financial software located in Latin America to steal user credentials. Ousaban is written in Delphi and shares commonalities with several other banking trojans active in the LATAM region. X-Force conducted a comparative analysis with previously analyzed Ousaban samples detailing some key differences. Samples from a previous Ousaban Campaign include a different obfuscation method, where the final payload was UPX packed vs the current VMProtect. In addition, the malspam campaign included an additional stage involving JavaScript downloaders, which is absent in this case. These changes may indicate different Ousaban malware distributors.
Sample Indicators of Compromise:
https://rcw3r.app.goo.gl/7b9370cd975714d27d8121b93158ab30e0689fbbe9cfa3d75436bd629a529fbahttps://d8hxy.app.goo.gl/disk1.cabhttps://empresanotificacao.com/alnnov2/fbfbf3ebc8109d40c455d5cf94c6afc4
