Researchers detail Tetrade family of Brazilian banking trojans

Researchers predict banking trojans will continue to evolve and take on new targets

Cybersecurity researchers from Kaspersky detailed four Brazilian banking trojans targeting financial institutions in Brazil, Latin America and Europe. Dubbed the Tetrade by researchers, the malware family includes Guildma, Javali, Melcoz and Grandoreiro banking trojans. 

Per the report, Guildma has added a host of new features to its campaigns since its inception in 2015. By using phishing emails with compressed email attachments, Guildma can hide malicious payloads and HTML files designed to execute JavaScript code. 

Once executed, Guildma downloads the HTML file and uses a legitimate command-line tool such as BITSAdmin to retrieve modules. Guildma also uses NTFS alternate data streams to conceal downloaded payloads and DLL search order hijacking to launch the malware. 

Once installed, the final payload monitors for specific bank websites. When the victim opens a specific bank website, threat actors can then execute financial transactions using the victim's computer. Though Guildma has targeted banking users in Brazil in the past, the campaign has since broadened its reach by attacking banking users in Latin America.

Much like Guildma, Javali uses a multi-stage malware deployment process to dupe its victims. Using phishing emails to distribute its initial payload, Javali emails include a file for a Microsoft installer along with an embedded Visual Basic script that downloads the final malicious payload from a remote C2. By using DLL sideloading and obfuscation techniques, Javali can hide its malicious activities.

Melcoz, another trojan app within the Tetrade family, has been linked to a string of attacks in Chile and Mexico since 2018. A variant of the open-source RAT remote access PC, Melcoz uses VBS scripts in installer package files to download the malware and can steal passwords from a user’s memory and browser. It can also steal a user’s Bitcoin wallet and replace the user’s wallet information with hacker’s banking information.

Kaspersky researchers also identified Grandoreiro campaigns targeting Brazil, Mexico, Portugal and Spain since 2016. Hosted on Google Sites pages, Grandoreiro is delivered via compromised websites, Google ads or by using spear-phishing methods. Grandoreiro also uses a domain generation algorithm to hide the C2 address used during the attack.

“Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers,” said researchers. 

“Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions,” they continued.

Guildma, Javali, Melcoz and Grandoreiro are all examples of Brazilian banking operations targeting users in multiple countries. Unfortunately, researchers predict these threats will continue to evolve and take on new targets in additional countries.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Alibaba ECS instances targeted in new cryptojacking campaign
cryptocurrencies

Alibaba ECS instances targeted in new cryptojacking campaign

16 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022