Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Add Security Software Removal to Banload Banking Malware

There are two primary characteristics of the Brazilian hacking scene: a focus on Brazil, and the adaptability of the hackers. Very strict money laws make trans-border money movement difficult, ensuring that most targets remain local; and the hackers tend to move on to new targets when the current one becomes too difficult.

There are two primary characteristics of the Brazilian hacking scene: a focus on Brazil, and the adaptability of the hackers. Very strict money laws make trans-border money movement difficult, ensuring that most targets remain local; and the hackers tend to move on to new targets when the current one becomes too difficult.

Hackers targeting banks are an exception — banking malware is focused on banks and bank users, and cannot readily be moved to a different type of victim. SentinelOne has now analyzed a new development within perhaps the most prolific Brazilian banking malware, Banload, that highlights the hackers’ adaptability. Unable to move to easier targets, they are seeking to make their targets easier.

Banload has been analyzed before by Cybereason (it is one of the few Brazilian malwares to spread out of Brazil, targeting other Spanish-speaking countries including Argentina, Bolivia, Chile, Venezuela and Spain). Even though it has been found elsewhere, ESET reported on April 30, 2019 that 82.9% of its detections are found within Brazil’s national borders.

Brazil is the most populous country in South America, making it a rich target for bank fraud. Online banking has been increasing for several years. So, too, has the general level of cyber hygiene among the population, making successful bank fraud more difficult. To counteract this, the hackers have introduced a new component into Banload, known internally as ‘FileDelete’. It is a kernel mode driver designed to remove the software drivers and executables of popular anti-malware and banking protection programs.

FileDelete is delivered via PowerShell to the local directory “C:G DATA Security Software“. It is protected by a code signing certificate under the name of M2 AGRO DESENVOLVIMENTO DE SISTEMAS LTDA, signed on March 31, 2019; and it removes software products belonging to AVG, Trusteer Rapport, Avast, and the Bradesco software “scpbrad”. 

It does this with an irpStack walk via IRP_MJ_SET_INFORMATION… -> FileDispositionInformation-> DeleteFile.

“While the signed driver itself does not appear to be sophisticated,” says SentinelOne, “its custom implementation demonstrates that the group behind Banload continues to innovate and adopt newer tools meant for fraud operations while installed on the victim machines.” 

It also demonstrates the adaptability of Brazilian hackers highlighted by Recorded Future. As banking fraud gets harder through increased use of security software, the hackers simply seek to remove the defenses.

Advertisement. Scroll to continue reading.

Palo Alto, Calif.-based endpoint security firm SentinelOne raised $70 million in a Series C funding round led by VC firm Redpoint Ventures in January 2017, bringing the total raised by the company to $109.5 million.

Related: Spy Banker Malware Delivered via Facebook, Google Cloud 

Related: Floki Bot Developer Imports Cybercrime Tools to Brazil 

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware 

Related: Cyber-Criminal Training Services for Sale in Brazilian Underground

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.