Researchers this year discovered a pair of malicious campaigns that attempted to distribute the recently discovered Amavaldo banking trojan to Brazilians and Mexicans, respectively.
Amavaldo is one of 10 malware families that researchers at ESET’s lab in Prague are claiming to have discovered since 2017, when they first launched an in-depth investigation into Latin American banking trojans. The trojan, whose name means “Lovable,” is anything but.
“After detecting a bank-related window, it takes a screenshot of the desktop and makes it look like the new wallpaper,” explains the ESET research team, in a company blog post today. “Then it displays a fake pop-up window chosen based on the active window’s text while disabling multiple hotkeys and preventing the victim to interact with anything else but the popup window.”
In January 2019, the actors behind Amavaldo were observed specifically targeting Brazilian banks and their users, but then April they expanded their activities to Mexico and now appear solely focused on the latter country.
In addition to its banking trojan functionality, the Delphi-based, modular malware also supports backdoor commands, including taking screenshots, using the webcam to capture photos, keylogging, downloading additional programs, restricting access to legitimate banking websites and mouse and keyboard simulation.
Additionally, the malware collects information on infected victims, including the make of computer and its OS identification, and banking protections installed by the victim.
Amavaldo remains in active development, ESET reports. As a final payload it arrives as a ZIP archive with three components: a copy of a legitimate application, an injector and the encrypted banking trojan itself. The injector uses DLL sideloading to self-inject into processes for either Windows Media Player or Internet Explorer.
Researchers at ESET have observed two different distribution chains to deliver Amavaldo. The campaign targeting Brazil relied on a malicious MSI installer that supposedly installs Adobe Acrobat Reader DC, but actually uses an embedded file containing a VBS downloader to produce a second VBS downloader. This second VBS file abuses the Windows Management Instrumentation Command line (WMIC) to bring forth an XSL containing embedded PowerShell that, in turn, finally downloads Amavaldo.
The campaign targeting Mexican banking customers was observed using a different MSI installer that contains an embedded Windows executable file, which acts as a downloader while delivering fake error message to victims, who again think they are downloading Acrobat Reader DC. ESET believes this particular campaign has relied on spam emails that arrive disguised as CV documents.