Four different families of Brazilian banking trojans collectively called Tetrade were found to be targeting financial institutions in Brazil, Latin America, and Europe.
The malware families – comprising Guildma, Javali, Melcoz, and Grandoreiro – function as a backdoor and uses numerous obfuscation techniques to hide its malicious activities from security software.
Kaspesky stated that Guildma, Javali, Melcoz and Grandoreiro are examples of a Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries.
They get benefitted as many banks operating in Brazil also have operations in Latin America and Europe, which makes it easy to extend their attacks against customers of these financial institutions.
Guildma and Javali has a multi-stage malware deployment process and uses phishing emails to distribute the initial payloads.
Guildma has added new features and stealthiness to its campaigns since its origin in 2015. Besides it has also expanded to new targets beyond Brazil to attack banking users in Latin America.
It also takes advantage of NTFS Alternate Data Streams to conceal the presence of the downloaded payloads in the target systems and leverages DLL Search Order Hijacking to launch the malware binaries, only proceeding further if the environment is free of debugging and virtualization tools.
In order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious payload inside a whitelisted process, such as svchost.exe. These modules are downloaded from an attacker-controlled server, whose information is stored in Facebook and YouTube pages in an encrypted format.
After installation, the final payload checks for bank websites, which, when opened, triggers a cascade of operations that allow the attackers to perform any financial transaction using the victim’s computer.
Javali downloads payloads sent through emails to fetch a final-stage malware from a remote C2 which is capable of stealing financial and login information from users in Brazil and Mexico who are visiting cryptocurrency websites (Bittrex) or payment solutions (Mercado Pago).
Melcoz which is a variant of the open-source RAT Remote Access PC, has been associated to various attacks in Chile and Mexico since 2018. It has the ability to steal passwords from clipboard, browsers, and Bitcoin wallets by replacing original wallet information with an alternative.
It uses VBS scripts in installer package files (.MSI) to download the malware on the system and subsequently abuses AutoIt interpreter and VMware NAT service to load the malicious DLL on the target system.
The researchers stated that the malware allows the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session in the background. So, the fraudulent transaction is performed from the victim’s machine, making it difficult to detect for anti-fraud solutions on the bank’s end.
It is also possible for an attacker to request specific information asked during a bank transaction, such as a one-time password, thereby bypassing two-factor authentication.
Grandoreiro has been related to a campaign spread across Brazil, Mexico, Portugal, and Spain since 2016, allowing attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banks.
The malware is hosted on Google Sites pages and delivered through compromised websites and Google Ads or spear-phishing methods, in addition to using Domain Generation Algorithm (DGA) for hiding the C2 address used during the attack.
Kaspersky stated that Brazilian criminals are rapidly creating an ecosystem, recruiting cybercriminals to work with in other countries, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware to keep it relevant and financially attractive to their partners.
These banking trojans try to innovate by using DGA, encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks as a way of obstructing analysis and detection.
Image Credits : Trip wire