In 2020, four sophisticated Brazilian malware families sharpened their techniques and actively expanded their geographic reach, targeting users in North America, Europe, and elsewhere in Latin America.
Banking trojans, which steal banking logins and other financial info from unsuspecting victims, are common, but more sophisticated examples were pioneered in Brazil. According to Kaspersky Labs researchers, four major Brazilian banking-trojan families (Guildma, Javali, Melcoz and Grandoreiro, collectively known as Tetrade) went global in 2020.
A report from Kaspersky stated: “In the past, Brazilian criminals primarily targeted customers of local financial institutions. That changed at the beginning of 2011 when a few groups began experimenting with exporting basic trojans abroad. This year, four families known as Tetrade have implemented the necessary innovations to take their distribution worldwide.”
The Guildma hacking group, which has been around since 2015, likes to use phishing emails disguised as legitimate business notifications, according to the report.
“Most of the phishing messages emulate business requests, packages sent over courier services or any other regular corporate subjects, including the COVID-19 pandemic, but always with a corporate appearance.”
A unique trait of this group is its use of innovative evasion techniques, making its malware difficult to detect. In 2019, Guildma started hiding its malware payload inside the victim’s system using a special format. It also stores its communication with the control server in an encrypted format on Facebook and YouTube pages. Subsequently, communication traffic is next to impossible to detect as malicious.
The Javali malware group, which has been active since 2017, has recently spread to Mexico. Like Guildma, it also spreads through phishing emails with corrupted attachments and has begun using YouTube to host its command-and-control (C2) communications.
The third family, Melcoz, has been active since 2018. Melcoz steals passwords from browsers and the computer’s memory and includes a module for stealing Bitcoin wallets. It replaces the original wallet information with the cybercriminal’s credentials.
The last family, Grandoreiro, has been around since 2016 and has recently been targeting users across Latin America and Europe. Its malware is offered in an as-a-service model, and as a result, it has become the commonly seen of the four families. Their malware is distributed via compromised websites and phishing campaigns. Like Guildma and Javali, it hides its C2 communications on legitimate third-party websites.