Brazilian Banking Trojans Spread to Other NationsKaspersky: Fraudsters Now Target North America, Europe, Latin America
The operators behind a family of Brazilian banking Trojans are expanding their operations to other parts of Latin America as well as North America and Europe, according to a report from Kaspersky.
The banking Trojans are collectively known as Terade, an umbrella term for four distinct malware strains: Guildma, Javali, Melcoz and Grandoreiro, according to the report.
Since 2011, the operators behind the Terade family of Trojans mainly focused on targeting financial institutions in Brazil. In recent months, however, the fraudsters have started expanding globally and re-engineering malware variants to help them better evade security tools, Kaspersky researchers say.
"Although this is not their first attempt - they tried, timidly, in 2011, using very basic Trojans, with a low success rate - now the situation is completely different," according to the Kaspersky report. "Brazilian banking Trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware, and using a very complex execution flow, which makes analysis a painful, tricky process."
In June, the FBI sent out an alert warning of an increase in banking Trojans, especially those designed for mobile devices such as smartphones. Many of these are disguised as benign apps (see: FBI Warns of Increasing Use of Trojans in Banking Apps).
The Brazilian malware strain known as Guildma has been active since 2015. Starting in 2019, fraudsters started spreading the Trojan beyond Brazil to Chile, Uruguay, Peru, Ecuador, Colombia, China, the U.S. and parts of Europe, according to the report.
In more recent campaigns, especially since the start of the COVID-19 pandemic, the fraudsters have used phishing emails to spread the malware. Many of these are disguised as corporate messages that emulate business requests or ask to verify packages sent over courier services, Kaspersky says.
In the most recent campaigns, the phishing emails have a malicious file attached. These are typically a compressed Visual Basic Script file or an LNK file extension for Windows. If opened, a payload installs the Trojan.
The Guildma malware hides its communications with the command-and-control server in an encrypted format on Facebook and YouTube pages, which helps bypass security tools, the report notes.
"The group behind the attacks has shown a good knowledge of legitimate tools for performing a complex execution flow, pretending to hide themselves inside the host system and preventing automated analysis systems from tracking their activities," according to the researchers.
The Javali Trojan, which has been active since November 2017, has moved beyond Brazil to target victims in other countries, including Mexico, the researchers note. As with Guildma, the operators behind Javali use phishing emails to infect devices with the Trojan.
"These emails include an MSI (Microsoft Installer) file with an embedded Visual Basic Script that downloads the final malicious payload from a remote command-and-control,” the report states. “It also uses [Dynamic Link Library] side loading and several layers of obfuscation to hide its malicious activities from analysts and security solutions.”
”The report also notes that Javali uses YouTube pages to communicate with the command-and-control server to help hide its presence.
The Javali Trojan has been found targeting cryptocurrency websites, such as Bittrex, and the websites of retailers, such as Mercado Pago in Latin America.
In addition to stealing banking credentials, this strain of malware is also capable of capturing passwords from browsers and the device's memory. Plus, it includes a module for stealing bitcoin wallets.
The Melcoz Trojan was first spotted in Brazil in 2018 and is now spreading to other countries within Latin America as well as Spain and Portugal. The Kaspersky researchers believe operators are working with local groups of fraudsters to help tailor the malware to each region.
These local fraudsters help collect the stolen money and oversee the infrastructure, such as the command-and-control servers, according to Kaspersky.
As with Javali, the Melcoz malware steals banking credentials and has the capability to capture passwords from browsers and a device's memory. It also includes a module for stealing bitcoin wallets, including replacing the victim's wallet with the fraudsters' address, according to the report.
The Grandoreiro Trojan, which has been active since 2016, is not connected with a specific group or operator and has been offered as a service model for other cybercriminals and fraudsters to rent, which means it’s spreading to other regions faster than the other three Trojans, according to Kaspersky.
The researchers found the malware targeting victims in Brazil, Mexico, Spain and Portugal, although it's possible that it has spread to other countries as well.
In addition to spreading via spear-phishing attacks, Grandoreiro is hidden in compromised websites. It also hides its communications with the command-and-control server through legitimate third-party websites to help it evade security tools, according to Kaspersky.
"Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work within other countries, adopting MaaS [malware-as-a-service] and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners," the report states.