Brazilian cybercriminals, long regarded as some of the most
creative malware creators, are now taking their original malicious programs
outside the country. According to Kaspersky
researchers, four advanced banking families, Guildma, Javali, Melcoz and
Grandoreiro, have begun targeting users in North America, Europe and Latin
America. Collectively known as Tetrade, they represent the latest innovations
in banking malware and are deploying a variety of new evasion techniques.
Brazil has long been a hotspot for banking Trojans, malware that steals credentials for e-payment and online banking systems so that criminals can siphon funds from victims’ accounts. However, in the past, Brazilian criminals primarily targeted customers of local financial institutions. That changed at the beginning of 2011 when a few groups began experimenting with exporting basic Trojans abroad. This year, four families known as Tetrade have implemented the necessary innovations to take their distribution worldwide.
Guildma, has been active since 2015 and is spread primarily through phishing emails disguised as legitimate business communications or notifications. Since its initial discovery, Guildma has acquired several new evasion techniques, making it particularly difficult to detect.
Beginning in 2019, Guildma began to hide the malicious payload within the victim’s system using a special file format. In addition, Guildma stores its communication with the control server in an encrypted format on Facebook and YouTube pages. As a result, the communication traffic is difficult to detect as malicious, and because no antivirus blocks either of those websites, it ensures the control server can execute commands uninterrupted. In 2015, Guildma was active exclusively in Brazil, and is now widespread in South America, the U.S., Portugal and Spain.
Another local banking Trojan known as Javali (active since 2017), has also been seen outside of Brazil, targeting banking customers in Mexico. Like Guildma, it is also spread via phishing emails and it has begun using YouTube to host its C2 communications.
The third family, Melcoz, has been active since 2018, but has since expanded overseas in countries like Mexico and Spain.
The last family, Grandoreiro, began targeting users in Latin America before expanding to countries in Europe. Of the four families, it is the most widespread. It’s been active since 2016 and follows a malware-as-a-service business model: different cybercriminals can purchase access to the necessary tools for launching the attack. This family is distributed via compromised websites as well as via spearphishing. Like Guildma and Javali, it hides its C2 communications on legitimate third-party websites.
“Brazilian criminals, like the ones behind these four banking families, are actively recruiting affiliates in other countries to successfully export their malware worldwide,” said Dmitry Bestuzhev, head of GReAT, Latin America. “What’s more, they are continuously innovating, adding new tricks and techniques to hide their malicious activity and make their attacks more lucrative. We expect these four families to begin attacking more banks in additional countries, and new families to pop up. That’s why it’s so important for financial institutions to monitor these threats closely and take steps to boost their anti-fraud capabilities.”
Learn more about these sophisticated banking families on Securelist.