The Brazilian cybercriminals behind four banking Trojans collectively dubbed “Tetrade” have decided to expand their business and started targeting victims internationally, Kaspersky’s security researchers reveal.
The four banking Trojan families – Guildma, Javali, Melcoz and Grandoreiro – have been active for years, but started emerging in attacks in North America, Europe, and Latin America only last year.
While this is not the first attempt from Brazilian crooks to expand abroad, it proves not only determination, but also the fact that the developers have managed to tailor their malware and techniques to ensure they can be effective worldwide.
The first malware family on the list, Guildma, has been active since at least 2015, exclusively targeting banks in Brazil. Since last year, however, it has been targeting users in the United States, South America, Portugal and Spain as well.
Highly modular, a recent version of the malware leverages NTFS Alternate Data Streams (ADS) to store the content of payloads and it features a complex execution flow. The threat is delivered via emails with malicious attachments, with newer attacks leveraging HTML files that execute JavaScript to drop a malicious payload.
“The malware relies on anti-debugging, anti-virtualization and anti-emulation tricks, besides the usage of process hollowing, living-off-the-land binaries (LOLBin) and NTFS Alternate Data Streams to store downloaded payloads that come from cloud hosting services such as CloudFlare’s Workers, Amazon AWS and also popular websites like YouTube and Facebook, where they store C2 information,” Kaspersky notes.
First seen in 2017, Javali primarily focuses on users in Brazil and Mexico and is delivered via phishing emails that include an MSI (Microsoft Installer) with an embedded Visual Basic script to fetch the final payload from a remote command and control (C&C) server. The threat relies on DLL sideloading and obfuscation to hide its malicious activity.
Leveraging whitelisted and signed binaries, along with MSI files and DLL hijacking, Javali seeks to infect en masse, while also targeting only countries of interests, Kaspersky says. For that, it only sends phishing emails to TLDs of interest, and the security researchers believe it might focus on Latin America.
Third on the list is Melcoz, a piece of malware that has operated in Brazil for years, and which started targeting users abroad in 2018. Chile was the first targeted country, but the malware also started popping up in Mexico, Spain, and Portugal.
The threat is a variant of Remote Access PC, an open-source remote access Trojan, distributed via phishing emails containing links to an MSI installer. Kaspersky identified two techniques for the malware’s delivery, namely an AutoIt loader script and DLL hijacking.
Grandoreiro too has been observed successfully targeting users in Europe, mainly those in Spain and Portugal, after initially operating in Brazil only. The malware has made victims in Mexico too, and is the most widespread globally of the four Tetrade Trojans.
Active since 2016, the malware leverages a specific Domain Generation Algorithm (DGA) to hide its C&C address, and appears to be operating under a MaaS (Malware-as-a-Service) business model, thus making it difficult to link to a specific cyber-gang.
“Guildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries. They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of these financial institutions,” Kaspersky concludes.
Related: Brazilian Hackers Described as Adaptable Pirates
Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed
