Last-minute paper: Client Maximus raises the bar

Thursday 5 October 14:00 - 14:30, Green room

Omer Agmon (IBM Trusteer)

The popularity of cybercrime in Brazil has been growing steadily during recent years, and has come to a peak with Client Maximus – a piece of financial malware and a RAT that was discovered at the end of August this year, gaining traction among cybercriminals in Latin America. Gone are the days when 'Brazilian banking trojan' was a synonym for clumsy low-end Delphi code. After setting the new technical standard for Brazil's financial malwares, the latest version of Client Maximus manages to do it again. In this talk I will familiarize the audience with this very impressive, yet little known malware, and focus on its unique deployment method.

We shall explore the impressively complex, multi-staged method with which it protects the malicious payload and deploys it upon infection. Jumping between PowerShell, VBScript and .NET code, Client Maximus decodes and decrypts multiple scripts and assemblies that are carefully orchestrated in order for it to stay as stealthy as possible. Using advanced .NET code hiding techniques, it dynamically loads pre-compiled C# code which is invisible to your everyday reflector, as we will explore in depth.

At its final stage, just before the malicious payload is executed, Client Maximus utilizes an extremely powerful public PowerShell project that practically replaces Windows Loader functionality with its own. It injects a Dynamic Load Library (DLL) into a remote process by parsing the Portable Executable (PE) header of the malicious DLL, analysing its dependencies, and injecting them one by one into the remote process, which was an innocent process up to this point. Finally, the payload is executed and the end-point is infected with the newest Client Maximus.



Omer Agmon

Omer Agmon was born in Israel in 1981. He studied information system engineering at Ben-Gurion University of the Negev, graduating in 2010. Omer joined Intel as a software engineer in 2007, where he worked as a C++ and C# developer. He then moved to IBM, where he has worked for the last three years as a Security Researcher.

Omer has a great passion for the software and hardware realm, with emphasis on the different security angles. Most of his experience is with financial malware and specifically with Latin America malware. His hobbies include playing music, jogging and electronics.







Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.