Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
Affected Platfo 2026-7-1 13:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:3 收藏

Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attacks
Severity Level: High

In May 2026, FortiGuard Labs identified an attack targeting users in Spain and Portugal involving the banking Trojan Ousaban. This malware has been active in Brazil and is spread through an MSI downloader. The malicious payload involves a DLL file that is run via DLL side-loading or process injection.

In this campaign, the threat actor primarily targets users in Spain and Portugal. Figure 1 shows how the attack unfolds. The phishing PDF tricks victims into visiting a malicious webpage that scans the user's environment. If they are in Spain or Portugal, the webpage downloads a VBS file to kickstart the next part of the attack. The final payload is an EXE file that is dropped onto the victim’s computer and executed by the VBS script.

Figure 1: Attack flow

PDF

As shown in Figure 2, the phishing PDF is disguised as a corrupted file and contains a deceptive message box that prompts the victim to update it. The Atualizar button, which translates to "Update" in English, links to a malicious webpage. The PDF also includes JavaScript code that displays an error message and then accesses the same webpage. This JavaScript code is hex-escaped to evade detection.

Figure 2: Screenshot of the phishing PDF

Figure 3: The JavaScript code included in the PDF file

HTML

Figure 4: The malicious webpage

The second phase of the attack involves a webpage that masquerades as a legitimate source of tax documents and system installers. A previous version of the webpage used detailed code for enforcing access controls. The webpage checks IP and device data to block unauthorized users and ensure that files are downloaded only by the intended recipients. It verifies language, time zone, and IP details to limit access to users in Spain and Portugal. To prevent bypassing this geo-restriction, the code also blocks IP addresses linked to VPNs by looking for keywords such as 'vpn' in the organization info.

Additionally, it evaluates user behavior and device characteristics, such as screen resolution, browser rendering, and font enumeration, to identify and block automated tools, such as sandboxes and crawlers, that tend to have limited browser capabilities.

Figure 5: Part of the anti-analysis code

It has a 50% chance of showing an error message and a 50% chance of downloading the fake file if the user doesn’t pass the environment check.

Figure 6: Malware behavior when the environment check fails

In this new version, anti-analysis code is not used. Environmental information is sent to the threat actor, and a PDF containing a Spanish message that translates to "Access denied. Service not available from your country" is downloaded from the webpage if access does not originate from Spain or Portugal. By performing the environment check on the server side, the threat actor obscures specific indicators, making it harder for analysts to identify the criteria used in the check.

VBS

If the user environment passes the server-side check, a VBS file is downloaded. The VBS file contains numerous benign function calls. The malicious code downloads a steganographic image that resembles a PDF icon. It extracts a ZIP file from the image and retrieves the Ousaban payload. The image and ZIP archive are dropped into the Temp folder, and the payload is dropped to C:\SysMain_5874288. After execution, the ZIP file, image file, and VBS file are deleted to minimize the footprint.

Figure 7: A ZIP file is appended to the image file

Ousaban

Once executed, Ousaban creates a registry value named Financeiro (meaning Finance in English) in the CurrentVersion\Run registry key to ensure persistence, and creates an empty file named maisum.dat, using its creation time as the installation timestamp. It then decrypts bank-related strings, which are subsequently used to check if the victim accesses a particular bank service. The list of banks is provided below:

Figure 8: Bank list

The strings are encrypted with a custom algorithm widely used by Latin American banking Trojans, including Casbaneiro.

Figure 9: Example of decryption

The first byte of the encrypted data is a random value generated during encryption and is used as the base offset. Encryption begins with the second byte. The second byte is XORed with the corresponding key character, and subtracting the base offset from the result yields the decrypted value. The second byte then becomes the new base offset, and the process continues with the next byte. If the XOR result of the current byte and the corresponding key byte is smaller than the current base offset, it adds 0xFF to the difference between the XOR result and the current base offset.

Including a random value ensures that identical plaintexts produce different ciphertexts, thereby increasing the complexity of analysis. For example, the screenshot below shows a Heartbeat packet: all data from the server is encrypted #ON-LINE#, and the client responses are #StrPingOK#, yet all encrypted data are different strings. 

Figure 10: Heartbeat packet

Previous variants stored configurations remotely. In this attack, Ousaban decrypts a Pastebin link that points to configuration data containing a private IP address.

Figure 11: The configuration data containing a private IP address

Ousaban does not use the Pastebin post to retrieve the actual IP address. Instead, it resolves the C2 IP address by looking up a hostname that changes daily when it detects the victim accessing specific banking services via a web browser. The hostnames belong to a DDNS-managed domain. The subdomains consist of a hard-coded string "aki" and the first eight characters of an MD5 hash. The MD5 hash is generated from a string that combines a hard-coded string "a9f8b7c6e5d4f3a2b1c8d7e6f5g4h3i2j1k9l8m7n6o5p4q" and the current date. To obtain the current date, Ousaban intentionally accesses the Google Automated Queries page and extracts the date from the page.

If the hostname is resolvable, Ousaban establishes a connection to the C2 server. Below is the basic command list:

#Convite#Collect user information
#Handle#Assign a victim ID
#ON-LINE#Heartbeat
#xyScree#Get screen resolution
#Iniciar#Start screenshot capture and remote control capability

Most of the traffic between the server and Ousaban is encrypted using the previously described algorithm. Some messages consist of a command followed by its argument. For example, the following is the response when Ousaban receives the #Convite# command. The command and its arguments are separated by <#>.

#Iniciar# starts screenshot capture and initializes various functions for further actions, such as controlling the mouse and keyboard, performing clipboard injection, implementing a keylogger, and creating a more realistic scenario to deceive the victim. The following is an example of the fake message generated in response to the C2 server's command.

Figure 12: An example of a fake message used to deceive the victim

Pastebin

The Pastebin post containing a private IP address appears to be a decoy designed to divert attention from the actual method used to retrieve the C2 IP address. However, it still provides useful threat-hunting context because Ousaban variants used in late 2025 also accessed the post. Below is the attack flow:

Figure 13: Attack flow of the attack that occurred in late 2025

There are two types of initial attack vectors. One uses a ClickFix technique to trick the victim into executing malicious code. The code downloads a VBS file, which then retrieves an MSI installer. The other uses a PDF file that directs the victim to a phishing webpage, where the MSI installer is delivered. The MSI installer contains a Rust-based downloader that downloads and executes the Ousaban payload.

Figure 14: The PDF file used in late 2025

Conclusion

The threat actor constantly advances and refines their malware delivery methods. In this campaign, they use various techniques to restrict access to the malware, such as geofencing and environmental checks, to limit exposure to the target audience. Apart from the distribution method, Ousaban depends on daily-changing domains to access the C2 IP and employs a traditional C2 setup as a decoy. Additionally, its encryption algorithm has been in use for a long time and remains effective at avoiding detection by security systems. 

This malware employs numerous advanced distribution and evasion methods. FortiGuard will continue to monitor these attack campaigns and provide appropriate protections as needed.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

W32/Ousaban.EY!tr.spy
VBS/Agent.TPX!tr.dldr
PDF/Agent.STG!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by FortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced protection against both known and unknown phishing attempts.

The FortiGuard CDR (Content Disarm and Reconstruction) service, which runs on both FortiGate and FortiMail, can disarm the malicious macros in the document.

We also suggest that organizations complete Fortinet’s free NSE training module, FCF Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Domains

faturanova[.]xyz
facture-in[.]pages[.]dev
facture-arsys[.]duckdns[.]org
faturanova[.]duckdns[.]org
controlfacturas[.]site

IPs

213[.]159[.]64[.]191
162[.]33[.]179[.]46
91[.]92[.]240[.]140
78[.]40[.]209[.]32

PDFs

6bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73
540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392
e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8
9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe
4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa
5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8

HTML

65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700
9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567
1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375
fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7

VBS

5a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774a
19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71
48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8

MSI

21b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cdd
d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3

EXEs

ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59c
18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e
4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb
5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d
e6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14


文章来源: https://feeds.fortinet.com/~/958831322/0/fortinet/blog/threat-research~Analysis-of-Ongoing-Ousaban-Attacks-Targeting-the-Iberian-Peninsula
如有侵权请联系:admin#unsafe.sh