People sleep waiting in line outside a Caixa Economica Federal bank to receive urgent government benefit amidst the COVID-19 struggles in Belo Horizonte, Brazil. Beyond the pandemic, banks combat the Brazil-based Guildma cybercriminal gang that developed a new Android-based trojan that has now gone global. (Pedro Vilela/Getty Images)

Sensing an opportunity to prey upon financial institutions that aren’t adequately prepared for their tactics, Brazilian cybercriminals are looking beyond their traditional Latin American stomping grounds to target Europe with banking trojans, perhaps with an eye on the U.S. for future attacks.

This burgeoning trend shows that no cyber threat stays localized forever, placing pressure upon security professionals to stay current on global threat intelligence and assume threats relegated to one corner of the globe will one day migrate.

According to a Nov. 9 Kaspersky blog post, the Brazil-Based Guildma cybercriminal gang has developed a new sophisticated Android-based banking trojan, Ghimob, that can spy on 153 financial apps associated with various banks, fintech organizations, exchanges and cryptocurrencies based not only in Brazil, but also in Paraguay, Peru, Portugal, Germany, Angola and Mozambique.

“Any threat in the world can affect different regions. It is up to the criminals involved in development and deployment to choose to compromise new targets, as the Ghimob [operators] did,” said Daniel Barbosa, security researcher from ESET Latin America, which closely tracks the local banking trojan scene [1, 2, 3].

Ghimob allows attackers to remotely access compromised devices to execute fraudulent transactions while avoiding antifraud systems. “Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device,” Kaspersky researchers wrote. “When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or open some website in full screen, so while the user looks at that screen, the criminal performs the transaction in the background by using the financial app running on the victim’s smartphone that the user has opened or logged in to.”

Kaspersky’s Ghimob report was a follow-up to a July blog post in which the company similar warned that a quartet of banking trojan groups – Guildma, Javali, Melcoz and Grandoreiro – were also showing signs of taking their show on the road, attacking or preparing to attack targets as far away as Europe and China.

Banking trojans are notorious in Brazil, where the local population generally prefers banking online. In years past, attacking local financial institutions was easy for Brazil-based cybercrime groups, because the attackers were intimately familiar with the regional banking systems as well as the local, Portuguese language. But as these banks have begun to fight back, the attackers have had to make their living elsewhere, say experts, and they’ve largely chosen the path of least resistance.

“Banks and other Brazilian financial institutions have been concerned with cybersecurity for a long time due to the attacks and frauds suffered since they made the internet available for use by customers. So now, Brazilian cybercriminals have to be more efficient to bypass the security layers implemented,” said Denise Menoncello, information security management and business continuity consultant at CMS Brazil, a company specializing in information technology sales and infosec advisory services. “This does not happen with the same rigor in foreign banks, where there are not so many controls implemented and it is easier to execute fraud.”

Indeed, “the Brazilian financial system learned to operate in a very hostile environment, reacting very quickly to financial fraud, mitigating the losses,” agreed Fabio Assolini, senior security researcher at Kaspersky. “As a result, Brazilian crooks [have] started to expand abroad, looking for other markets to attack, where financial institutions are not well prepared to deal with it.”

Naturally, among the first places the bad actors looked to victimize were other countries where citizens speak Portuguese or Spanish. “Their expansion started first in LATAM,” Assolini. Then “they quickly expanded to Europe, targeting countries such as Portugal and Spain.”

Brazilian criminals may have also been influenced via communications with underground, dark web markets, including ones associated with Eastern European actors. “At first, Brazilians were customers, buying exploits, tooling, etc. and later they became competitors, copying their methods of cybercrime,” Assolini explained.

The cybercriminals might have expanded geographically earlier, but it took time for the adversaries to become more familiarized with the banking scene outside of their comfort zone.

“The starting points of a successful attack usually are reconnaissance and information gathering,” said Barbosa. “With the banking trojans developed in Brazil and other countries from Latin America, this is not different. The cybercriminals need information regarding the targeted financial institutions so they can impersonate them properly. If they have the information they need regarding institutions from other countries, nothing stops them from attempting an attack.”

According to Barbosa and others, some of the non-Brazilian banks that are currently being targeted are currently in a vulnerable spot because they may have historically overlooked these threats, considering them irrelevant due to them existing outside their geographical concern.

“Any institutions in the world that don’t concern [themselves with] threats happening in other places – [especially] threats that affect institutions of the same type as their own – are at a huge disadvantage,” said Barbosa. “Threats never have borders, after all.”

Banks that still look at the threats as a Brazilian problem are missing the point, at their own peril. “For a correct and complete approach on threat intelligence, you need to consider threats that are still far from your yard, but sooner or later can arrive,” said Assolini.

Case in point: “The banks that saw [North Korean] Lazarus activity in 2016 and obtained data trying to understand the way these attacks were delivered… were not victims of Lazarus when the attacks moved to Western countries,” Assolini explained.

While the Kaspersky reports did not identify the U.S. as a prominent target of the array of banking trojans coming out of Brazil and Latin America, it’s likely only a matter of time.

“At the moment, the targets continue to be banks in Brazil and in countries where Brazilian banks operate, or banks that do not [have] complex anti-fraud and security systems,” said Menoncello. “In the USA, as far as we can identify, there is an intention [to attack], but nothing has been reported so far… [possibly] because American banks already have anti-fraud systems in place. So cybercriminals will need further development to start the attacks.”

The prevalence of English in the U.S. remains a hurdle for now as well. “But this is easy to surpass,” said Assolini. “I see as their main barrier the possibilities of cash-out. At some point they [the cybercriminals] need real cash, and for them this can be hard. It’s not easy to send an international wire to accounts they control outside of the country targeted.”

Only two things prevent Brazilian threat attacks on institutions in the United States: “the intent to do, and the knowledge to do,” said Barbosa. “If the criminals around here, or from other parts of the globe can attack, they will attack.”