Cybersecurity researchers on Tuesday detailed as many as four different Brazilian banking trojan families that had targeted financial institutions in Brazil, Latin America and Europe.
Collectively called “Tetrade” by Kaspersky researchers, the malware family – consisting of Guildma, Javali, Melcoz, and Grandoreiro – has developed their ability to function as a back door and adopt various confusion techniques to hide their evil activities from security software.
“Guildma, Javali, Melcoz and Grandoreiro are examples of other Brazilian banking groups that have decided to expand their attacks overseas, targeting banks in other countries,” Kaspersky said in a statement. analysis.
“They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easier to expand their attacks on customers of these financial institutions.”
Multi-Stage Malware Deployment Process
Both Guildma and Javali use a multi-stage malware spread process, using phishing emails as a mechanism for distributing initial content.
Kaspersky found that Guildma not only added new features and stealth to the campaign since its inception in 2015, but also expanded to new targets outside Brazil to attack banking users in Latin America.
On top of that, he made use of it NTFS Alternative Data Flow to hide the presence of loads downloaded on the target and leverage system Piracy of DLL Search Orders to launch malware binaries, only proceed further if the environment is free of debugging and virtualization tools.
“To execute additional modules, malware uses curvature processing techniques to hide dangerous content in the whitelist process, such as svchost.exe,” Kaspersky said. These modules are downloaded from an attack-controlled server, whose information is stored on Facebook and YouTube pages in encrypted format.
Once installed, the final payload monitors a particular bank’s website, which, when opened, triggers an operating cascade that allows cyber criminals to carry out any financial transactions using the victim’s computer.
Javali (active since November 2017), too, downloads content that is sent via email to retrieve the final stage of malware from C2 remotely capable of stealing financial information and logins from users in Brazil and Mexico who visit the cryptocurrency (Bittrex) website or payment solutions ( Mercado Pago).
Stealing Bitcoin Passwords and Wallets
Melcoz, a variant of the open-source RAT Remote Access PC, has been linked to a series of attacks in Chile and Mexico since 2018, with malware that has the ability to steal passwords from clipboards, browsers, and Bitcoin wallets by replacing original wallet information with dubious alternatives that owned by the enemy.
It uses VBS scripts in the installer package file (.MSI) to download malware on the system and then misuses the AutoIt translator and the VMware NAT service to load malicious DLLs on the target system.
“Malware allows attackers to display an overlay window in front of the victim’s browser to manipulate user sessions in the background,” the researchers said. “In this way, fraudulent transactions are carried out from the victim machine, making it more difficult to detect anti-fraud solutions on the bank’s part.”
In addition, threat actors can also request specific information requested during a bank transaction, such as a one-time password, bypassing two-factor authentication.
And finally, Grandoreiro has been tracked to campaigns spread across Brazil, Mexico, Portugal and Spain since 2016, allowing attackers to carry out fraudulent banking transactions using victims’ computers to avoid security measures used by banks.
The malware itself is hosted on Google Site pages and sent through compromised websites and Google Ads or phishing methods, in addition to using Domain Creation Algorithm (DGA) because it hides the C2 address that was used during the attack.
“Brazilian criminals are quickly creating an affiliate ecosystem, recruiting cyber criminals to work with in other countries, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware as a way to stay relevant and financially attractive to partners them, “Kaspersky concluded.
“As a threat, the banking trojan family is trying to innovate using DGA, encrypted content, emptying processes, piracy DLLs, lots of LoLBins, fileless infections, and other tricks as a way of inhibiting analysis and detection. We believe that this threat will develop to target more banks in more countries. “