Malware that is typically used in Brazil is expanding its geography, targeting users in North America, Europe and elsewhere in Latin America.
Banking trojans, which steal online banking logins and other financial credentials from unsuspecting victims, are fairly common – but the more sophisticated examples are often pioneered in Brazil. According to Kaspersky researchers, four Brazilian banking-trojan families (Guildma, Javali, Melcoz and Grandoreiro, collectively known as Tetrade) have taken their distribution global, according to a report published on Tuesday.
“In the past, Brazilian criminals primarily targeted customers of local financial institutions,” according to the report. “That changed at the beginning of 2011 when a few groups began experimenting with exporting basic trojans abroad. This year, four families known as Tetrade have implemented the necessary innovations to take their distribution worldwide.”
The Guildma group, which has been active since 2015, tends to use phishing emails disguised as legitimate business communications or notifications, according to the report.
“Most of the phishing messages emulate business requests, packages sent over courier services or any other regular corporate subjects, including the COVID-19 pandemic, but always with a corporate appearance,” researchers noted.
What sets it apart though, is its use of innovative evasion techniques, making its malware particularly difficult to detect.
“Beginning in 2019, Guildma began to hide the malicious payload within the victim’s system using a special file format,” explained Kaspersky. “In addition, Guildma stores its communication with the control server in an encrypted format on Facebook and YouTube pages. As a result, the communication traffic is difficult to detect as malicious, and because no antivirus blocks either of those websites, it ensures the control server can execute commands uninterrupted.”
Guildma has recently become active throughout South America, and in the U.S., Portugal and Spain, the firm said.
Meanwhile, the Javali group (active since 2017) has recently spread to Mexico. Like Guildma, it is also spread via phishing emails with malicious attachments, and it has begun using YouTube to host its command-and-control (C2) communications, the report said.
In addition, “these emails include an MSI (Microsoft Installer) file with an embedded Visual Basic Script that downloads the final malicious payload from a remote C2; it also uses DLL sideloading and several layers of obfuscation to hide its malicious activities from analysts and security solutions,” explained the researchers.
The initial Microsoft Installer downloader contains an embedded custom action that triggers a Visual Basic Script. The script connects to a remote server and then retrieves the second stage of the malware.
The third family, Melcoz, has been active since 2018, and is known for malware that, like other banking trojans, steals passwords from browsers and the computer’s memory; but it also includes a module for stealing Bitcoin wallets. It replaces the original wallet information with the cybercriminals’ own, Kaspersky said.
Melcoz has now expanded to other places in Latin America.
“We found that the group has attacked assets in Chile since 2018 and more recently, in Mexico,” according to researchers. “Still, it is highly probable there are victims in other countries, as some of the targeted banks operate internationally…As these groups speak different languages (Portuguese and Spanish), we believe that Brazilian cybercriminals are working with local groups of coders and mules to withdraw stolen money, managed by different operators, selling access to its infrastructure and malware constructors.”
Each Melcoz campaign runs on its unique ID, which varies between versions and C2s used.
“Generally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions,” according to the report.
The last family, Grandoreiro, has been active since 2016, researchers said, and has recently been targeting users across Latin America and in Europe. Kaspersky said that its malware is offered in an as-a-service model, and as a result, it’s become the most widespread of the four families.
The malware is distributed via compromised websites as well as via spearphishing and, like Guildma and Javali, it hides its C2 communications on legitimate third-party websites.
“Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners,” the report noted.
Dmitry Bestuzhev, head of Kaspersky’s GReAT in Latin America, added, “What’s more, they are continuously innovating, adding new tricks and techniques to hide their malicious activity and make their attacks more lucrative. We expect these four families to begin attacking more banks in additional countries, and new families to pop up. That’s why it’s so important for financial institutions to monitor these threats closely and take steps to boost their anti-fraud capabilities.”
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.