Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
FortiGuard Labs identified an ongoing Ousaban banking Trojan campaign targeting users in Spain and Portugal, delivered via phishing PDFs that redirect victims to geofenced malicious webpages. The attack chain involves a VBS script extracting a ZIP payload from a steganographic image, with the final Ousaban EXE establishing persistence via registry Run keys and communicating with C2 servers resolved through daily-changing DDNS hostnames. The malware targets over 25 Spanish and Portuguese financial institutions and employs a custom encryption algorithm shared with the Casbaneiro family to evade detection.
Authors: Rachael Liao
Source:Fortinet
- domaincontrolfacturas[.]siteMalicious domain used in the Ousaban phishing/delivery infrastructure
- domainfacture-arsys[.]duckdns[.]orgDDNS domain used in the Ousaban attack infrastructure
- domainfacture-in[.]pages[.]devPhishing webpage URL embedded in PDF JavaScript; masquerades as tax document portal targeting Spanish/Portuguese users
- domainfaturanova[.]duckdns[.]orgDDNS domain used in the Ousaban attack infrastructure
- domainfaturanova[.]xyzMalicious domain used in the phishing/delivery infrastructure for the Ousaban campaign
- ip162[.]33[.]179[.]46Confirmed C2 IP address observed in attack chain diagram communicating with Ousaban payload
- ip213[.]159[.]64[.]191Malicious IP associated with Ousaban campaign infrastructure
- ip78[.]40[.]209[.]32Malicious IP associated with Ousaban campaign infrastructure
- ip91[.]92[.]240[.]140Malicious IP associated with Ousaban campaign infrastructure
- sha25618fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4eOusaban EXE payload
- sha25619ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71Malicious VBS file used in Ousaban campaign
- sha2561e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375Malicious HTML page used in Ousaban campaign
- sha25621b24f7ee1f6bdbbb670f0394d66009ee0daa8ced57048298da715e88f7a7cddMSI installer containing Rust-based downloader used in late 2025 Ousaban variant delivery
- sha25648723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8Malicious VBS file used in Ousaban campaign
- sha2564c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aaPhishing PDF used in Ousaban campaign
- sha2564ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcbOusaban EXE payload
- sha256540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392Phishing PDF used in Ousaban campaign
- sha2565837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0dOusaban EXE payload
- sha2565a2ed557c357ba8f96f2d55a8a00695987806b5df766cd1dfdab0cbed111774aMalicious VBS file downloaded from phishing webpage; downloads steganographic image and extracts Ousaban payload
- sha2565e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8Phishing PDF used in Ousaban campaign
- sha25665c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700Malicious HTML page used in Ousaban campaign
- sha2566bc2e11b0917f47d0557288c4f0cb20bd7589185943b989a969fdc6d3704ee73Phishing PDF disguised as corrupted file with hex-escaped JavaScript linking to malicious webpage
- sha2569d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fePhishing PDF used in Ousaban campaign
- sha2569e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567Malicious HTML page used in Ousaban campaign
- sha256d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3MSI installer containing Rust-based downloader for Ousaban
- sha256e2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8Phishing PDF used in Ousaban campaign
- sha256e6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14Ousaban EXE payload
- sha256fadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7Malicious HTML page used in Ousaban campaign
- sha256ffb9eb47cc0cb2f43e04a10dc84df13d04bca1ebacbe47fad0b669728de2f59cOusaban EXE payload dropped and executed by VBS script on victim machine
- urlhxxps://facture-in[.]pages[.]devFull phishing URL embedded in PDF JavaScript; launches when victim clicks 'Atualizar' button or JavaScript auto-redirects
Detection / Hunteropenrouter
What Happened
A type of malicious software called a banking Trojan (named Ousaban) has been targeting people in Spain and Portugal. The attackers send fake documents (like fake tax forms) that trick victims into visiting a malicious website. The website checks if the visitor is actually in Spain or Portugal before delivering the malware, making it harder for security researchers to study. Once installed, the malware watches when victims access their online banking and can capture screenshots, log keystrokes, and even control the mouse and keyboard to steal money. The malware is designed to change its communication addresses daily, making it difficult to block. Organizations should ensure their security software is up to date and train employees to recognize suspicious email attachments and fake websites.
Key Takeaways
- Ousaban banking Trojan expanded targeting from Brazil to Spain and Portugal, using geofencing and server-side environment checks to restrict malware delivery to intended victims
- Attack chain uses phishing PDF with hex-escaped JavaScript linking to a fake tax document portal, which delivers a VBS script that extracts a ZIP from a steganographic image to drop the final EXE payload
- Malware persists via a registry Run key value named 'Financeiro' and creates an empty file 'maisum.dat' as an installation timestamp marker
- C2 resolution uses a DDNS-based daily-changing hostname scheme combining the string 'aki' with the first 8 characters of an MD5 hash derived from a hard-coded key and the current date fetched from Google
- A Pastebin link containing a private IP is used as a decoy to divert analysts from the real DDNS-based C2 resolution mechanism
- Custom encryption algorithm shared with Casbaneiro family ensures identical plaintexts produce different ciphertexts, complicating traffic analysis
Affected Systems
- Microsoft Windows
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing PDF disguised as corrupted file with hex-escaped JavaScript prompts victim to click 'Atualizar' button or auto-redirects to malicious webpage
- Delivery: Geofenced webpage verifies victim is in Spain/Portugal via server-side checks (timezone, IP, language); blocks VPNs and automated tools
- Execution: VBS file downloaded to victim machine; contains benign function calls as obfuscation and downloads a steganographic image containing a hidden ZIP
- Persistence: Ousaban EXE extracted from ZIP, dropped to C:\SysMain_5874288, and creates registry Run key value 'Financeiro' for persistence; creates empty file maisum.dat as installation timestamp
- C2: Ousaban resolves daily-changing DDNS hostname (prefix 'aki' + first 8 chars of MD5 of hard-coded key + current date from Google) to obtain C2 IP; communicates using custom encrypted protocol with commands like #Convite#, #ON-LINE#, #Iniciar#
- Impact: Malware monitors victim banking activity, captures screenshots, performs clipboard injection, keylogging, and remote mouse/keyboard control to facilitate fraud
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: FortiGuard AntiVirus
No custom detection rules (YARA, Sigma, Snort/Suricata) are provided in the article. FortiGuard AV signatures are referenced: W32/Ousaban.EY!tr.spy, VBS/Agent.TPX!tr.dldr, PDF/Agent.STG!tr. FortiGate, FortiMail, FortiClient, and FortiEDR provide detection via FortiGuard AntiVirus service.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR can detect the VBS script execution, EXE drop to C:\SysMain_5874288, registry Run key creation, and process injection. However, the steganographic extraction and custom encrypted C2 traffic may not be natively parsed by all EDR solutions. |
| Network Visibility | Medium | Network telemetry can capture connections to phishing domains and C2 IPs, but the daily-changing DDNS hostnames and custom encryption algorithm make traffic identification challenging without specific signatures. The Google Automated Queries page access for date retrieval is an unusual network artifact. |
| Detection Difficulty | Hard | The malware employs multiple evasion layers: geofencing restricts analyst access, steganography hides payload in images, custom encryption obscures C2 traffic, daily-changing DDNS hostnames complicate domain blocking, and server-side checks hide anti-analysis logic. The Pastebin decoy further diverts analysis attention. |
Required Log Sources
- Windows Sysmon Event ID 1 (Process Creation)
- Windows Sysmon Event ID 11 (File Creation)
- Windows Sysmon Event ID 13 (Registry Value Set)
- DNS resolution logs
- HTTP/HTTPS proxy logs
- EDR process telemetry
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes writing to atypical directories like C:\SysMain_5874288, especially when followed by registry Run key modifications, as this may indicate Ousaban payload delivery and persistence | EDR file write events, Sysmon Event ID 11 (File Creation) and Event ID 13 (Registry Value Set) | Persistence | Low - the specific directory path and registry value name 'Financeiro' are highly suspicious and unlikely in legitimate software |
| Consider hunting for VBS scripts that download image files and subsequently extract ZIP archives from them, as this steganographic technique is characteristic of Ousaban delivery | EDR process telemetry showing cscript.exe/wscript.exe downloading files and spawning archive extraction processes | Execution | Low to Medium - legitimate administrative scripts may download images, but extracting ZIPs from images is highly unusual |
| Consider hunting for DNS queries to DDNS domains with subdomains starting with 'aki' followed by 8 hex characters, as this pattern matches the Ousaban C2 domain generation algorithm | DNS resolution logs, passive DNS data, network proxy logs | Command and Control | Low - the specific subdomain pattern is algorithmically generated and unlikely to appear in legitimate traffic |
| Consider hunting for processes accessing Google's Automated Queries page to extract date information, as this is an unusual behavior used by Ousaban for DGA seed generation | EDR network connections, proxy logs, DNS logs showing access to Google Automated Queries page from non-browser or unexpected processes | Command and Control | Medium - some legitimate tools may access Google pages, but extracting date from the Automated Queries page specifically is unusual |
| Consider hunting for registry Run key values with non-standard names like 'Financeiro' combined with executables in non-standard paths, as this matches Ousaban persistence behavior | Sysmon Event ID 13 (Registry Value Set), EDR registry modification telemetry | Persistence | Low - the combination of the specific value name and non-standard executable path is highly indicative of malicious persistence |
Control Gaps
- Traditional signature-based AV may miss the steganographic payload extraction from image files
- Network-based detection may fail to identify C2 traffic due to custom encryption and daily-changing DDNS hostnames
- Geo-restricted delivery mechanism limits sandbox and automated analysis systems from obtaining samples
- Server-side environment checks obscure anti-analysis logic from static analysis of HTML/JavaScript
- Pastebin decoy may cause analysts to focus on the wrong C2 resolution mechanism
Key Behavioral Indicators
- VBS script downloading PNG/image file and extracting ZIP from it
- Executable dropped to C:\SysMain_5874288\SysMain.exe
- Registry Run key value named 'Financeiro' pointing to non-standard executable path
- Empty file named 'maisum.dat' created in payload directory
- DNS queries to DDNS domains with subdomains matching pattern 'aki' + 8 hex characters
- Process accessing Google Automated Queries page to extract current date
- PDF files containing hex-escaped JavaScript that calls app.launchURL
- VBS scripts with numerous benign function calls used as obfuscation
False Positive Assessment
Low - the combination of steganographic extraction, specific directory paths, registry value names, and DDNS domain patterns are highly specific to Ousaban and unlikely to appear in legitimate activity
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified malicious domains and IPs at your firewall, proxy, and DNS resolver if they are not already blocked by threat intelligence feeds
- Consider searching endpoint telemetry for the listed SHA256 hashes, the directory path C:\SysMain_5874288, and the registry value 'Financeiro' in Run keys to identify potential compromises
- If your EDR supports it, consider creating custom detection rules for VBS scripts that download image files and subsequently spawn archive extraction or file write operations
Infrastructure Hardening
- Consider implementing DNS filtering to block DDNS domains that exhibit algorithmic subdomain patterns, particularly those matching the 'aki' + hex character pattern described
- Evaluate whether your email gateway can block or quarantine PDF files containing embedded JavaScript that calls app.launchURL, especially those with hex-escaped content
- If applicable, consider restricting execution of VBS scripts via application control policies for users who do not require scripting capabilities
User Protection
- Consider deploying endpoint detection that flags processes writing to non-standard root-level directories like C:\SysMain_5874288
- If your EDR supports host isolation, consider enabling automated isolation for endpoints exhibiting registry Run key creation combined with network connections to newly registered or DDNS domains
- Evaluate whether your web filtering solution can block access to the specific phishing domains and pages.dev subdomains identified in this campaign
Security Awareness
- Consider incorporating examples of fake 'corrupted file' PDF lures into existing phishing awareness training, emphasizing that legitimate documents do not require clicking update buttons to open
- If your organization operates in Spain or Portugal, consider issuing a targeted advisory to employees about fake tax document portals impersonating government or telecom services
- Consider reminding users to verify the legitimacy of financial institution communications through official channels rather than clicking links in unsolicited documents
MITRE ATT&CK Mapping
Initial Access
Execution
Persistence
Privilege Escalation
Command and Control
Additional IOCs
- Ips:
213[.]159[.]64[.]191- Malicious IP associated with Ousaban campaign infrastructure91[.]92[.]240[.]140- Malicious IP associated with Ousaban campaign infrastructure78[.]40[.]209[.]32- Malicious IP associated with Ousaban campaign infrastructure
- Urls:
hxxps://facture-in[.]pages[.]dev- Full phishing URL embedded in PDF JavaScript; launches when victim clicks 'Atualizar' button or JavaScript auto-redirects
- File Hashes:
540ee1936e61d2344b5ebc93485589a351ec2f113a9b4940ae16f3baa4807392(SHA256) - Phishing PDF used in Ousaban campaigne2f0c2d4c1552cd81fa012043e4a5ac832582b639b7b6b7eccc0c4802d7a8ad8(SHA256) - Phishing PDF used in Ousaban campaign9d07a83cf89685651ea8992047ae694c24f6ddef193044357debd15ce07a64fe(SHA256) - Phishing PDF used in Ousaban campaign4c9fdc2823da505ef339d43c6ad38499b7e3447736733e42b5ab6b1afcfd42aa(SHA256) - Phishing PDF used in Ousaban campaign5e06af187b45476ade0d953e834fced6197d0a33ac60c2575877660e26ab15e8(SHA256) - Phishing PDF used in Ousaban campaign65c1a998bac48e02b52b1c850cd500e9fb87521e21755c3a4a491243f5f9a700(SHA256) - Malicious HTML page used in Ousaban campaign9e81ade09cc18f0fc09d73e72d2e0bffad02f52fdcc26553e473cee8cabc1567(SHA256) - Malicious HTML page used in Ousaban campaign1e77992666acbbfa0d01fcefa9cc8fbdac291e0681b35745be27c6dfb159a375(SHA256) - Malicious HTML page used in Ousaban campaignfadbb8061715128bebecf7bc59132b6bb04fe8cc39b965aa5b8722dffe28d7e7(SHA256) - Malicious HTML page used in Ousaban campaign19ac18a50abb48dc0ea9524850acfaec49359e6b3bcc67c6193c2d56da812c71(SHA256) - Malicious VBS file used in Ousaban campaign48723a33bab89f174750576f9a62da35b3b9e5ac31a5a8f1ce9859a1b35bf8b8(SHA256) - Malicious VBS file used in Ousaban campaignd4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3(SHA256) - MSI installer containing Rust-based downloader for Ousaban18fd38988d58dd930f5992d448cc09a9400c1eafba76b820b9a83239ac48cf4e(SHA256) - Ousaban EXE payload4ca2c863d740bb7022776dccabd8ae34bb9998768928042d76ebcf08984eefcb(SHA256) - Ousaban EXE payload5837e47198a20877e1b04b270c36d9194206ee38d4f32fe3151b3c3b396c4f0d(SHA256) - Ousaban EXE payloade6e78eb2e9bd41a4bc62f7ad54d095ea9813864bebe37172ae30a1afa631fe14(SHA256) - Ousaban EXE payload
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro- Persistence mechanism: Ousaban creates registry Run key value named 'Financeiro' to auto-start on boot
- File Paths:
C:\SysMain_5874288- Directory where Ousaban payload is dropped by VBS scriptC:\SysMain_5874288\SysMain.exe- Ousaban payload executable dropped to diskC:\SysMain_5874288\maisum.dat- Empty file created by Ousaban; its creation timestamp is used as installation timestamp marker
- Other:
aki- Hard-coded string prefix used in DDNS subdomain generation for C2 resolution; combined with first 8 chars of MD5 hasha9f8b7c6e5d4f3a2b1c8d7e6f5g4h3i2j1k9l8m7n6o5p4q- Hard-coded key string combined with current date to generate MD5 hash for daily DDNS C2 hostname resolution