When it comes to banking trojans Brazil is not only a leading manufacturer, but most often its residents bear the brunt of these attacks, however, Cybereason has found the same malware normally used to attack this South American country has spread worldwide.
The malware was found by Cybereason is being used against banks in more than 60 countries, but despite such widespread use the attack’s methodology remains true to the original. The malware has been tagged and tracked using several names, including Banload, Banbra, Bancos, Boleto, Delf and Spy.Banker.The malware, which is a RAT, was created by a Brazilian in 2015 and been available on Github. Cybereason found several strings of text written in Portuguese to back up this claim.
The author denies using his creation in an illegal fashion, Cybereason wrote.
“Even though the code has fully functional remote access capabilities, it does not seem to contain functionality directly related to financial malware. And, unlike other Brazilian financial malware, there’s no anti-analysis code, or ability to detect virtual machines and/or security products. These features were likely added by different malware authors who repurposed the open-source RAT code,” Cybereason said.
The multi-stage attacks all start with a phishing email to set the initial infection with the email’s body containing an attachment or link that utilizes a well-known URL shortener like Bitly or TinyURL that points to a hosting website. Subject lines usually refer to an invoice. The attackers are particularly sneaky here using well-known sites like AWS, Pastebin or Dropbox. These make it appear to both the victim and any security software, that the link is safe.
|How the malware runs its course|
- Social engineering as an entry point.
- Multiple redirections via URL shorteners and the usage of Dynamic DNS services.
- Payloads hosted on legitimate online storage services and CDNs (content delivery networks).
- Obfuscated PowerShell downloaders employing command-line logging evasion.
- Living off the land techniques that abuse Microsoft-signed binaries.
- Abusing trusted applications via DLL hijacking.
- Splitting the main payload into two or more components Splitting the main payload into two or more components.
Because the malware is relatively malleable the malicious actors behind it have spread outside of Brazil and Cybereason spotted them targeting banks located in a variety of Spanish speaking countries
Our research shows how Brazilian-made malware, originally designed to target Brazilian banking users, is repurposed to target other countries and their respective regional banks. We observed more than 60 banks being targeted by Brazilian financial malware. (See the section “Brazilian-made Malware, Spanish-Speaking Targets” for a list of targeted banks.)