The Brazilian Banking Trojans
Four different families of Brazilian banking Trojans have recently been detected by cybersecurity researchers. The threats have as a target financial institutions from Brazil, Latin America and Europe.
Referred to as the “Tetrade”, the malware families — Guildma, Javali, Melcoz and Grandoreiro — have evolved into backdooring and have adopted numerous obscure tactics to conceal their destructive behaviors from protection tools.
According to Kaspersky researchers, Tetrade uses the fact that many banks based in Brazil operate also in Latin America and in Europe, making it very convenient for the crooks behind these threats to broaden their assaults on the customers of these financial institutions.
Multi-stage delivery of malware in on trend
Kaspersky’s researchers reveal that to execute the additional modules, the malware uses the process hollowing technique to conceal the harmful payload in a process that is whitelisted, such as svchost.exe. The modules are downloaded from a server operated by attackers in an encrypted format and placed in Facebook and YouTube pages.
Once the final malware is installed, it watches out for specific bank websites. The moment these websites are opened, cascade of operations are launched that enable the cyber criminals to conduct fraudulent financial transactions through the victim’s device.
Similarly, Javali’s malicious payloads are distributed via emails with the idea to inject a final-stage malware that can steal financial and login information from Brazilian and Mexican users who are visiting payment solutions such as Mercado Pago or cryptocurrency websites like Bitterx.
Stealing Bitcoin wallets and passwords
Melcoz, is another banking threat that is known for its stream of attacks in Mexico and Chile since 2018. This malware has the ability to steal passwords from clipboard browsers. It also can steal Bitcoin wallets by replacing the original wallet details with details owned by the attackers.
Melcoz uses VBS scripts in setup package files to download the malicious payload on the computer. After that, it abuses AutoIt interpreter and VMware NAT service to load a harmful DLL on the target machine.
Researchers explain that the malware enables the intruder to display an overlay window on the victim’s browser to manipulate its sessions in the background. This makes the fraudulent transaction from the machine of the victim difficult to detect by anti-fraud solutions from the bank. In addition, the attacker may even ask for specific details which are normally asked during a bank transaction, such as a one-time password, which would allow him to bypass the two-factor authentication protection of the transaction.
Grandoreiro, the last malware from the Tetrade, is known for its malicious campaigns in Brazil, Mexico, Portugal and Spain since 2016. This threat helps attackers to render illegal financial transfers by utilizing victim machines to circumvent security steps taken by banks.
The malicious payload of Grandoreiro can be delivered via malicious links and Google Ads, as well as through the methods of spear-phishing. The threat is known to use Domain Generation Algorithm (DGA) for concealing the C2 address that it uses during the attack.
Banking malware becomes more capable
According to Kaspersky’s conclusion, Brazilian crooks are rapidly building an affiliate network, hiring computer criminals to operate in other countries, embracing MaaS (malware-as-a-service) and applying new tactics to their malware to make it effective and financially appealing to their clients. Banking Trojan families like Tetrade represent a great threat since they quickly evolve to target more banks in more countries. Furthermore, they employ an arsenal of methods, including innovative DGA usage, DLL hijacking, encrypted payloads, process hollowing, file-less infections and other tricks in their attempts to bypass security tools.