How a piece of Brazilian malware became a global cybercrime export

Brazil holds a special place in popular consciousness. It evokes thoughts of sun kissed beaches and dense, luscious jungle as well as extreme violence and poverty. Very few people outside of the industry however would associate it with a distinctly more modern phenomenon; Cybercrime.  

Brazil has been a major player in the global cybercrime landscape for over a decade now. Brazilian threat actors have been cited by a number of high profile reports as engaging in a plethora of cybercriminal activity, with threat actors taking aim mostly at high-yield targets in the financial industry. According to the Igarapé Institute, a Brazilian think-tank which engages with security and development issues, the country is ranked second worldwide in online banking fraud and financial malware. Brazilian hacker’s pedigree is known to be utilising huge swathes of botnets, which send out phishing emails, spam emails and proliferate Info-stealers and banking trojans.  

But even for Brazil’s own exceptionally high cybercrime standards, what Cybereason uncovered during 2018 proved exceptional. Researching, monitoring and analysing Brazilian financial malware, we discovered that this piece of malware had legs; It had managed to spread across almost a dozen countries in South America, Portugal and Spain, targeting customers of more than 60 banks around the globe.  

So how did Brazilian cybercriminals take this malware and unleash it on victims across the world? As with so many cybercrime campaigns, it started with a phish…

(Image credit: Image Credit: wk1003mike / Shutterstock)

Infection

Cybereason found unaspiringly that phishing emails were used for the initial infection. The email body usually contains either an attachment or a link to a URL shortener that points to hosting websites where the first stage payload is stored. The payloads involved often masquerade as Flash/Java updates.  

Using a tactic which is popular in social engineering campaigns globally, the emails pertain to be invoices (“FATURA” in Portuguese) in order to dupe victims into clicking and investigating further. Another common theme is spoofing emails to make them look like they came from VIVO, Brazil’s largest telecommunications company. These two hooks allow for cybercriminals to target a significant number of potential victims with minimal effort, under the assumption invoices and emails from VIVO are sent and received every day, so will not constitute anything out of the ordinary.  

Once PDF documents within these phishing emails are opened, they will lead to a stream containing a shortened URL, which works to deflect any antivirus detections. The URL then resolves to a DropBox, or other online storage service, URL which contains a Zip, hosting the first stage downloader script or other online storage services. Another method led victims to a file sharing website and were then encouraged to download a ZIP file. Once users click on the file, it spawns cmd.exe and powershell.exe processes, which download a secondary payload. Additionally, an Internet Explorer instance launches and loads a legitimate Adobe website, probably to allay any suspicions that the users have about the downloaded file and to distract them from what’s going on in the background.

Theft

In 70 percent of the infections, the infection chain traces back to three main file extensions: .bat, .cmd and .lnk. The scripts are usually contained in an archive (.rar/.zip) to bypass email and spam filters. In addition to the batch files, Cybereason’s researchers also observed other extensions, such as .exe (Windows Executable) and .chm (compiled HTML), sent over as email attachments. Once installed and past the antivirus gatekeepers, the malware will begin to steal online banking data from the targeted banks, a list of which is embedded into the configuration of the malware. Although the malware was Brazilian in its origins, some samples were written to target banks in Spanish speaking countries across Europe and Latin America, including Chile, Bolivia, Argentina and Spain. 

This combination of downloaders bundled in archives proved to be one of the biggest strengths of the campaign, as they proved incredibly adept at bypassing antivirus software. Many of the analysed payloads correspondingly had a low detection rate, ranging between 0-17, out of 59 antivirus vendors. 

The Bigger Picture

Other Brazilian malware that was related to the malware analysed by Cybereason was also found on the compromised machines. These post-infection payloads provide a glimpse into the Brazilian malware ecosystem and, to some extent, offer an understanding of what the threat actors are after. 

In addition to the banking Trojans targeting bank users, we found that the same campaigns were distributing cryptocurrency miners, infostealers and malware that targets Microsoft Outlook. Malware that targets Outlook is a serious concern since it poses a major risk to organizations worldwide. The malware contains features that leverage Outlook’s functions, like the ability to query victims’ contact lists. Threat actors usually use this information for spam campaigns but can also sell it on the dark market to other attackers who want information on an organization they’re planning to attack. 

Assaf Dahan, Senior Director and Head of Threat Hunting at Cybereason

Assaf Dahan
Assaf Dahan has more than 13 years of offensive and defensive cybersecurity experience. As Cybereason’s lead security researcher in Tokyo his areas of focus include the Japanese threat landscape and fileless malware. Prior to joining Cybereason, Dahan led Ernst and Young’s Red Team in Israel and developed penetration testing methodologies.