Brazilian cybercriminals, long regarded as some of the most creative malware creators, have begun to take their original malicious programmes outside the country. According to Kaspersky researchers, four advanced banking families—Guildma, Javali, Melcoz and Grandoreiro—have begun targeting users in North America, Europe, and Latin America.
Collectively known as Tetrade, they represent the latest innovations in banking malware, having deployed a variety of new evasion techniques.
Brazil, home to some of today’s most active and creative cybercriminals, has long been a hotspot for banking Trojans—malware that steals credentials for e-payment and online banking systems so that criminals can siphon funds from victims’ accounts. However, in the past, Brazilian criminals primarily targeted customers of local financial institutions. That changed at the beginning of 2011 when a few groups began experimenting with exporting basic Trojans abroad—with limited success. Now, in 2020, four families, known as Tetrade, have implemented the necessary innovations to take their distribution worldwide.
One family, Guildma, has been active since 2015 and is spread primarily through phishing emails disguised as legitimate business communications or notifications.
Since its initial discovery, Guildma has acquired several new evasion techniques, making it particularly difficult to detect. Beginning in 2019, Guildma began to hide the malicious payload within the victim’s system using a special file format. In addition, Guildma stores its communication with the control server in an encrypted format on Facebook and YouTube pages. As a result, the communication traffic is difficult to detect as malicious, and because no antivirus blocks either of those websites, it ensures the control server can execute commands uninterrupted.
In 2015, Guildma was active exclusively in Brazil. It’s now widespread in South America, the USA, Portugal, and Spain.
Another local banking Trojan known as Javali (active since 2017), has also been seen outside of Brazil, targeting banking customers in Mexico. Like Guildma, it is also spread via phishing emails and it has begun using YouTube to host its C2 communications.
The third family, Melcoz, has been active since 2018, but has since expanded overseas, in countries like Mexico and Spain.
Last, but not least, Grandoreiro began targeting users in Latin America before expanding to countries in Europe. Of the four families, it is the most widespread. It’s been active since 2016 and follows a malware-as-a-service business model: different cybercriminals can purchase access to the necessary tools for launching the attack.
This family is distributed via compromised websites, as well as via spearphishing. Like Guildma and Javali, it hides its C2 communications on legitimate third-party websites.
“Brazilian criminals, like the ones behind these four banking families, are actively recruiting affiliates in other countries to successfully export their malware worldwide. What’s more, they are continuously innovating, adding new tricks and techniques to hide their malicious activity and make their attacks more lucrative. We expect these four families to begin attacking more banks in additional countries—and new families to pop up. That’s why it’s so important for financial institutions to monitor these threats closely and take steps to boost their anti-fraud capabilities,” comments Dmitry Bestuzhev, head of GReAT, Latin America.
Learn more about these sophisticated banking families on Securelist.
To protect your financial institution from these four banking Trojans and others, Kaspersky experts recommend:
• Provide your SOC team with access to the latest Threat Intelligence to keep them up to date on new and emerging tools, techniques and tactics used by threat actors and cybercriminals. For example, Kaspersky Financial Threat Intelligence Reporting contains IoCs, Yara rules and hashes for these threats.
• Educate your customers on possible tricks malefactors may use. Regularly send them information on how to identify fraud and behave in this situation.
• Implement an anti-fraud solution that is capable of detecting sophisticated fraud cases. For example, Kaspersky Fraud Prevention, a session-based anti-fraud solution, can combat not only malicious attempts (JavaScript injection, hidden Remote Administration Tools connection and website usage) at the incubation stage of money theft, but also identify subsequent misbehaviour in accounts