Last-minute paper: Client Maximus raises the bar

Thursday 5 October 14:00 - 14:30, Green room

Omer Agmon (IBM Trusteer)

The popularity of cybercrime in Brazil has been growing steadily during recent years, and has come to a peak with Client Maximus – a piece of financial malware and a RAT that was discovered at the end of August this year, gaining traction among cybercriminals in Latin America. Gone are the days when 'Brazilian banking trojan' was a synonym for clumsy low-end Delphi code. After setting the new technical standard for Brazil's financial malwares, the latest version of Client Maximus manages to do it again. In this talk I will familiarize the audience with this very impressive, yet little known malware, and focus on its unique deployment method.

We shall explore the impressively complex, multi-staged method with which it protects the malicious payload and deploys it upon infection. Jumping between PowerShell, VBScript and .NET code, Client Maximus decodes and decrypts multiple scripts and assemblies that are carefully orchestrated in order for it to stay as stealthy as possible. Using advanced .NET code hiding techniques, it dynamically loads pre-compiled C# code which is invisible to your everyday reflector, as we will explore in depth.

At its final stage, just before the malicious payload is executed, Client Maximus utilizes an extremely powerful public PowerShell project that practically replaces Windows Loader functionality with its own. It injects a Dynamic Load Library (DLL) into a remote process by parsing the Portable Executable (PE) header of the malicious DLL, analysing its dependencies, and injecting them one by one into the remote process, which was an innocent process up to this point. Finally, the payload is executed and the end-point is infected with the newest Client Maximus.



Omer Agmon

Omer Agmon was born in Israel in 1981. He studied information system engineering at Ben-Gurion University of the Negev, graduating in 2010. Omer joined Intel as a software engineer in 2007, where he worked as a C++ and C# developer. He then moved to IBM, where he has worked for the last three years as a Security Researcher.

Omer has a great passion for the software and hardware realm, with emphasis on the different security angles. Most of his experience is with financial malware and specifically with Latin America malware. His hobbies include playing music, jogging and electronics.







Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.