Cybercrime is undoubtedly one of Brazil’s greatest challenges. Unlike other parts of the world, Brazil is targeted mostly by local criminals.

Malware facilitates the most prolific type of cybercrime attacks in Brazil. Because Brazilian malware tends to be less sophisticated than malware made in Eastern Europe, cybercriminals in Brazil compensate with attack volume. This trend is beginning to change, however, as criminals are increasingly collaborating with Russian-speaking actors to buy and offer malware in the Brazilian cybercrime market.

Why do Brazilian cybercriminals rarely use advanced malware such as Zeus, Neverquest or Tinba? The answer is simple: No need to shoot a fly with a cannonball. If it works, that’s a good enough reason for cybercriminals to keep using it.

The Top Trends Among Brazilian Malware

Below is a list of the top malware threats employed in Brazil against banking and payment users.

1. Another Day, Another Trojan

One of the most common malware traits in the Brazilian cybercrime landscape is the use of Delphi-based code. It’s possible that its overall utility and simplicity became popular among small-time criminals who make or buy Delphi-based malcode, mostly because they can easily understand and customize it.

Unlike modern day banking Trojans such as Dridex or GozNym, which must come with a builder to generate new executables each time, Brazilian malware authors sell customizable source code. According to IBM X-Force research, this means that every time someone buys the malware, they modify it as they see fit. That essentially creates new malware without creating a new malware family.

For this reason, we see very few distinctive malware families in Brazil. This poses unique security challenges in Brazil compared to those in regions like North America or Europe, for example. It follows that we do not see as many variants of Dridex, Neverquest, Tinba or GozNym in Brazil as we do in other parts of South America.

Read the X-Force special report: 2016 Rio Olympics Threat Landscape

2. Image-Based Phishing

Brazilian cybercriminals have long used phishing scams, sending users to fake bank pages to rob their online banking details. In many modern phishing kits, the code that generates the fake page pulls a lot of the HTML content from the genuine bank’s website. This action can be detected by security solutions and often helps researchers find phishing sites by tracing back the web resource that copies code from the bank’s website.

Brazilian criminals did not have to do much to counter this detection. They created a simple image file with a couple of editable fields and found a way to overlay it on the victim’s internet browser window. The image is a screen capture of the bank’s website — no code necessary! It is as simple as it is trendy. While it lacks in sophistication, it is both inexpensive and tricky to detect.

3. The RAT and the Remote Overlay

While the very simplistic overlay Trojan described above continues to work well, IBM X-Force researchers began seeing an escalation of the overlay Trojan method in 2014. In the newer attack method, cybercriminals introduced a man-in-the-middle (MitM) element in the form of a malicious remote access tool (RAT). With the RAT, which gives the attacker full control over the victim’s endpoint, fraudsters can steal credentials and follow up with a real-time transaction attempt from the victim’s own endpoint, thus raising less suspicion on the bank’s end.

This manual scam is generally known as a Remoto. It leverages the persistence of an overlay screen that blocks the user from seeing or even accessing their actual web browser. While the user is stuck, the criminal simultaneously performs a fraudulent transaction. Victims are then asked for two-factor authentication elements in real time. In this way, victims are socially engineered into helping the attacker without ever knowing that a third party has come between them and the genuine banking session.

4. The Fake Browser

Another popular trend in the Brazilian malware arena is the fake browser. This technique is conceptually simple: Victims go to their online banking website when their original browser suddenly crashes and automatically re-opens. The second browser is a malicious program created by the criminals to appear exactly like the original. These programs, in most cases, are designed to adapt to the victim’s specific browser.

Due to the seamless relaunch of the browser, unsuspecting victims are likely to continue where they left off, often entering their credentials into the fake browser window, inadvertently sending them to the criminal’s drop zone. Once received on the other end, the criminal will use the credentials in an attempt to authenticate an online banking session and perform a fraudulent transfer from an endpoint he or she controls. This is an example of account takeover fraud.

5. Malicious Boleto Browser Extensions

The fifth trend on the Brazilian roster does not target online banking per se, but it is specific to a popular online payment method used in South America known as Boleto. Boletos are the equivalent of online money orders, which are used extensively in Brazil for any type of payment, especially by individuals who do not own a credit card.

Criminals manipulate Boleto payments and alter their routing information in a way that sends the money to an attacker instead of the intended payee. To seamlessly alter the payment information on Boletos, cybercriminals use malicious extensions that infect the internet browser and tamper with Boleto details on the fly.

In a sense, this is reminiscent of malicious browser helper objects (BHO malware) leveraged by Trojans like Zeus about decade ago. With that, banking Trojans would alter the account number and amount on outgoing online transfers and bill payments from compromised users.

The malicious extensions are a simple way to modify the details of online Boleto Bancario payments. They target the editable lines of the Boleto, which include the payee’s account number and payment amount. This change takes place before the user sends the payment to their intended payee, thus having them unknowingly send money to an attacker.

As an added measure, criminals often sabotage Boleto payments by rendering their original barcode illegible to electronic scanners. That way, when the intended payee attempts to validate the Boleto’s barcode at the bank, the clerk is forced to enter the information manually, at which point he or she inadvertently sends the money off to the criminal’s account. Two very popular names for these malicious extensions are HyperK and Eupuds.

6. The Evergreen Malicious Proxy Changer

According to IBM X-Force researchers, proxy changer malware has been the most popular attack vector in Brazil for at least the past six years.

Don’t expect anything sophisticated here — it’s a twist on a timeworn threat. Instead of the older way of altering the hosts file, proxy malware tampers with the victim’s proxy auto-config (PAC) file. PAC files are the browser’s go-to resource when it needs to automatically choose the correct proxy server that will fetch a requested URL.

Malicious PAC files started gaining notoriety in Brazil in 2009, when several proxy changer malware families were detected editing the URLs inside PAC files on infected machines. Malware can tamper with PAC files in a number of ways: It can edit the PAC, add an entirely new PAC to the browser, or delete the legitimate one and replace it with the bad version.

Cybercriminals in Brazil continue to exploit proxy manipulation to send victims to phishing pages when they attempt to navigate to their bank or credit card provider’s website.

7. Abusing Legitimate Tools

Brazilian cybercriminals use legitimate tools and Windows default wares to stop or delete security software from infected endpoints so that security software does not interfere with their malware.

For example, a free tool called Process Hacker is designed to monitor system resources. This tool can be used maliciously by cybercriminals to end processes of security products that may be running on the victim’s endpoint.

Brazilian cybercriminals also use Gmer, a popular rootkit detector and remover. Gmer can enable the deletion of otherwise protected files, like those of security software, from the deeper zones of the operating systems.

In some cases, cybercriminals can achieve the same result by creating pop-up boxes prompting the user to shut off their own security software. This type of social engineering allows even unsophisticated criminals to get away with fraud.

Read the full report from IBM X-Force: 2016 Rio Olympics Threat Landscape

Continued Success for Simplistic Cybercrime

Simplistic cybercrime has gained momentum in Brazil due to a variety of factors:

  • Brazil’s large population includes many internet users with relatively low security awareness, along with large amounts of enterprising cybercriminals.
  • As internet connectivity and services become available in more parts of the country, many Brazilians are accessing online services for the first time. Security is often an afterthought to new internet users and training is seldom available, increasing their chances of becoming victims of cybercrime. The risk rises as users in Brazil favor access to their online banking account through their mobile devices, which are often even less secure.
  • Due to their low level of security awareness, many Brazilian consumers may be reluctant to pay for security software, potentially increasing their risk of malware infection.
  • The security landscape in Brazil continues to be less stringent than it is in other parts of the world, even on the enterprise level.

Can Brazilian Malware Be Countered?

Cybersecurity can definitely improve in Brazil through user education and overall awareness to online threats. Brazilians can counter cybercrime by deploying the appropriate security tools on endpoints, guarding online accounts with adapted security and protecting mobile devices against the threats described above.

To learn more about the threat landscape in Brazil, read the full report from IBM X-Force.

Topics: , , , , , ,