Hackers Add Security Software Removal to Banload Banking Malware

There are two primary characteristics of the Brazilian hacking scene: a focus on Brazil, and the adaptability of the hackers. Very strict money laws make trans-border money movement difficult, ensuring that most targets remain local; and the hackers tend to move on to new targets when the current one becomes too difficult.

Hackers targeting banks are an exception — banking malware is focused on banks and bank users, and cannot readily be moved to a different type of victim. SentinelOne has now analyzed a new development within perhaps the most prolific Brazilian banking malware, Banload, that highlights the hackers’ adaptability. Unable to move to easier targets, they are seeking to make their targets easier.

Banload has been analyzed before by Cybereason (it is one of the few Brazilian malwares to spread out of Brazil, targeting other Spanish-speaking countries including Argentina, Bolivia, Chile, Venezuela and Spain). Even though it has been found elsewhere, ESET reported on April 30, 2019 that 82.9% of its detections are found within Brazil’s national borders.

Brazil is the most populous country in South America, making it a rich target for bank fraud. Online banking has been increasing for several years. So, too, has the general level of cyber hygiene among the population, making successful bank fraud more difficult. To counteract this, the hackers have introduced a new component into Banload, known internally as ‘FileDelete’. It is a kernel mode driver designed to remove the software drivers and executables of popular anti-malware and banking protection programs.

FileDelete is delivered via PowerShell to the local directory “C:G DATA Security Software“. It is protected by a code signing certificate under the name of M2 AGRO DESENVOLVIMENTO DE SISTEMAS LTDA, signed on March 31, 2019; and it removes software products belonging to AVG, Trusteer Rapport, Avast, and the Bradesco software “scpbrad”. 

It does this with an irpStack walk via IRP_MJ_SET_INFORMATION… -> FileDispositionInformation-> DeleteFile.

“While the signed driver itself does not appear to be sophisticated,” says SentinelOne, “its custom implementation demonstrates that the group behind Banload continues to innovate and adopt newer tools meant for fraud operations while installed on the victim machines.” 

It also demonstrates the adaptability of Brazilian hackers highlighted by Recorded Future. As banking fraud gets harder through increased use of security software, the hackers simply seek to remove the defenses.

Palo Alto, Calif.-based endpoint security firm SentinelOne raised $70 million in a Series C funding round led by VC firm Redpoint Ventures in January 2017, bringing the total raised by the company to $109.5 million.

Related: Spy Banker Malware Delivered via Facebook, Google Cloud 

Related: Floki Bot Developer Imports Cybercrime Tools to Brazil 

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware 

Related: Cyber-Criminal Training Services for Sale in Brazilian Underground