Tetrade Brazilian Banking Trojans

The Brazilian Banking Trojans

Four different families of Brazilian banking Trojans have recently been detected by cybersecurity researchers. The threats have as a target financial institutions from Brazil, Latin America and Europe.Brazilian Trojans Tetrade

Referred to as the “Tetrade”, the malware families — Guildma, Javali, Melcoz and Grandoreiro — have evolved into backdooring and have adopted numerous obscure tactics to conceal their destructive behaviors from protection tools.

According to Kaspersky researchers, Tetrade uses the fact that many banks based in Brazil operate also in Latin America and in Europe, making it very convenient for the crooks behind these threats to broaden their assaults on the customers of these financial institutions.

Multi-stage delivery of malware in on trend

Guildma and Javali are utilizing multi-stage malware delivery methods to spread the initial payloads through phishing e-mails. Guildma, in particular, has even expanded its targets outside of Brazil to attack banking users in Latin America, according to Kaspersky. In a new version of the malware, compressed email attachments or HTML files that execute JavaScript code are used to seamlessly inject the malicious payloads in the system of its targets. In addition to this, the location of the downloaded payloads in the target systems is hidden by NTFS Alternate Data Streams that conceal their presence.

Kaspersky’s researchers reveal that to execute the additional modules, the malware uses the process hollowing technique to conceal the harmful payload in a process that is whitelisted, such as svchost.exe. The modules are downloaded from a server operated by attackers in an encrypted format and placed in Facebook and YouTube pages.

Once the final malware is installed, it watches out for specific bank websites. The moment these websites are opened, cascade of operations are launched that enable the cyber criminals to conduct fraudulent financial transactions through the victim’s device.

Similarly, Javali’s malicious payloads are distributed via emails with the idea to inject a final-stage malware that can steal financial and login information from Brazilian and Mexican users who are visiting payment solutions such as Mercado Pago or cryptocurrency websites like Bitterx.

Stealing Bitcoin wallets and passwords

Melcoz, is another banking threat that is known for its stream of attacks in Mexico and Chile since 2018.  This malware has the ability to steal passwords from clipboard browsers. It also can steal Bitcoin wallets by replacing the original wallet details with details owned by the attackers.

Melcoz uses VBS scripts in setup package files to download the malicious payload on the computer. After that, it abuses AutoIt interpreter and VMware NAT service to load a harmful DLL on the target machine.

Researchers explain that the malware enables the intruder to display an overlay window on the victim’s browser to manipulate its sessions in the background. This makes the fraudulent transaction from the machine of the victim difficult to detect by anti-fraud solutions from the bank. In addition, the attacker may even ask for specific details which are normally asked during a bank transaction, such as a one-time password, which would allow him to bypass the two-factor authentication protection of the transaction.

Grandoreiro, the last malware from the Tetrade, is known for its malicious campaigns in Brazil, Mexico, Portugal and Spain since 2016. This threat helps attackers to render illegal financial transfers by utilizing victim machines to circumvent security steps taken by banks.

The malicious payload of Grandoreiro can be delivered via malicious links and Google Ads, as well as through the methods of spear-phishing. The threat is known to use Domain Generation Algorithm (DGA) for concealing the C2 address that it uses during the attack.

Banking malware becomes more capable

According to Kaspersky’s conclusion, Brazilian crooks are rapidly building an affiliate network, hiring computer criminals to operate in other countries, embracing MaaS (malware-as-a-service) and applying new tactics to their malware to make it effective and financially appealing to their clients. Banking Trojan families like Tetrade represent a great threat since they quickly evolve to target more banks in more countries. Furthermore, they employ an arsenal of methods, including innovative DGA usage, DLL hijacking, encrypted payloads, process hollowing, file-less infections and other tricks in their attempts to bypass security tools.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment