A remote overlay toolkit referred to as KL-Remote, currently being used in Brazil, commits what researchers at IBM Security Trusteer call a “virtual mugging,” or a remote takeover of infected computers then execution of fraudulent transactions unbeknownst to end users.

The researchers discovered the KL-Remote in December, detailing in a blog post how miscreants can use a graphical user interface (GUI) included in the kit to “'overlay' fake messages on top of a legitimate website” to trick users into spilling their sensitive information. 

The toolkit is being touted among Brazilian cybercriminals “as a platform that can be embedded in the most common banking malware variants,” researchers wrote.

Attacks orchestrated with the tools are deemed “unique” since the criminal must intervene manually “during various stages of the fraud event” and is “virtually looking over the victim's shoulder” before seizing control of the device.