Researchers detail Tetrade family of Brazilian banking trojans

Researchers predict banking trojans will continue to evolve and take on new targets

Cybersecurity researchers from Kaspersky detailed four Brazilian banking trojans targeting financial institutions in Brazil, Latin America and Europe. Dubbed the Tetrade by researchers, the malware family includes Guildma, Javali, Melcoz and Grandoreiro banking trojans. 

Per the report, Guildma has added a host of new features to its campaigns since its inception in 2015. By using phishing emails with compressed email attachments, Guildma can hide malicious payloads and HTML files designed to execute JavaScript code. 

Once executed, Guildma downloads the HTML file and uses a legitimate command-line tool such as BITSAdmin to retrieve modules. Guildma also uses NTFS alternate data streams to conceal downloaded payloads and DLL search order hijacking to launch the malware. 

Once installed, the final payload monitors for specific bank websites. When the victim opens a specific bank website, threat actors can then execute financial transactions using the victim's computer. Though Guildma has targeted banking users in Brazil in the past, the campaign has since broadened its reach by attacking banking users in Latin America.

Much like Guildma, Javali uses a multi-stage malware deployment process to dupe its victims. Using phishing emails to distribute its initial payload, Javali emails include a file for a Microsoft installer along with an embedded Visual Basic script that downloads the final malicious payload from a remote C2. By using DLL sideloading and obfuscation techniques, Javali can hide its malicious activities.

Melcoz, another trojan app within the Tetrade family, has been linked to a string of attacks in Chile and Mexico since 2018. A variant of the open-source RAT remote access PC, Melcoz uses VBS scripts in installer package files to download the malware and can steal passwords from a user’s memory and browser. It can also steal a user’s Bitcoin wallet and replace the user’s wallet information with hacker’s banking information.

Kaspersky researchers also identified Grandoreiro campaigns targeting Brazil, Mexico, Portugal and Spain since 2016. Hosted on Google Sites pages, Grandoreiro is delivered via compromised websites, Google ads or by using spear-phishing methods. Grandoreiro also uses a domain generation algorithm to hide the C2 address used during the attack.

“Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers,” said researchers. 

“Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions,” they continued.

Guildma, Javali, Melcoz and Grandoreiro are all examples of Brazilian banking operations targeting users in multiple countries. Unfortunately, researchers predict these threats will continue to evolve and take on new targets in additional countries.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

100 million IoT devices affected by zero-day flaw
Internet of Things (IoT)

100 million IoT devices affected by zero-day flaw

24 Sep 2021
New FamousSparrow hacking group caught targeting hotels
vulnerability

New FamousSparrow hacking group caught targeting hotels

24 Sep 2021
Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme
hacking

Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme

10 Sep 2021
IoT devices are more vulnerable than ever
Internet of Things (IoT)

IoT devices are more vulnerable than ever

10 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021