Security researchers discovered a new family of malware that being sold as a banking-Trojan-as-a-service. The malware, dubbed Mangit by Trend Micro researchers, was created by a cybercriminal in Northern Brazil known as “Ric,” who rents the banking Trojan for about $600 per 10-day period, according to a Trend Micro blog post.
The Trojan author sells the malware directly through a YouTube account, as Brazil's understaffed police remains overwhelmed in the face of an ongoing battle against cybercriminals and other criminal groups.
The malware includes an ability to bypass multiple authentication processes that are used by Brazilian banks. “We believe Ric works by himself and is not part of a larger syndicate,” the post stated. The firm said little is known about the Trojan author. “What we do know is that his ‘work' is of remarkably high quality,” according to the blog post.
However, a cybersecurity pro who specializes in penetration testing believes he has discovered the malware creator. Ric appears be a cybercriminal named Ricardo Marques Silva. Silva has posted multiple video tutorials demonstrating loaders, keyloggers and other malware programs, according to Red Cell Infosec CEO Dominique Davis.
The Mangit banking Trojan was discovered as the banking sector attempts to investigate security issues that allowed attackers to access bank networks in a series of cyberheists that affected global banking.
Financial institution throughout Brazil “continue to be assaulted by hackers exploiting security loopholes and are unable to keep up the with pace of new trojan malware,” Justin Moore, Axcient founder and CEO, wrote in an email to SCMagazine.com. “Legacy IT and cybersecurity infrastructure at these institutions is simply overmatched against these new threat vectors.”
A recent report rated Brazil as the country with the lowest information security rating. The BitSight Insights report found that companies in Brazil experienced the highest rate of compromised machines, compared to the other countries studied, including the U.S., UK, Singapore, Germany, China, and Brazil.
The type of malware is associated with threat actors and criminal activities that extend beyond mere banking fraud, according to Davis. Nic sells services that are similar to those provided by LaFirmaSec, a Brazilian cybercriminal group including a C-panel brute forcer.
LaFirmaSec's webpage contains YouTube videos tutorials that demonstrate how to use its banking Trojans and malware. However, the website also publishes a “trophy” list of victims – including images of children of Brazilian government employees. The list contains the social media, government ID, address, parents' names, parent occupation, gender, date of birth, sexual orientation, date of death, and blood type information of the children – some of whom are as young as seven years old.
Davis believes LaFirmaSec's “trophy” list may in fact be a hit list hiding in plain sight. “See where it says, ‘R President Kennedy'?” he asked. “It doesn't sound good.”