A new banking Trojan has joined the ranks of malware that terrorizes users in South America.
FortiGuard Labs discovered a new threat to the financial sector in South America. A new malware called CHAVECLOAK aims to steal bank credentials from Brazilian residents.
The Trojan is distributed via an infected PDF file disguised as a contract. The victim is asked to open the file to read and sign documents, but this actually leads to downloading malware. When you open a PDF file, a ZIP archive is downloaded. Next, an MSI file is extracted that contains many text files for different languages, a legitimate executable file, and a malicious DLL library that is loaded using the DLL Sideloading method.
The CHAVECLOAK infection chain
The CHAVECLOAK Trojan disguised as "Lightshot.dll", starts its work by collecting information about the system, sets itself to autoload, and sends requests to the Command and Control server (C2). If the victim is located in Brazil, the program activates monitoring of the active window and starts collecting usernames and passwords when the window of the banking system or cryptocurrency platform is detected. In particular, the Trojan is trying to identify connections to Mercado Bitcoin — a large crypto exchange with traditional banking functions.
CHAVECLOAK also includes the ability to lock the victim's screen, register keystrokes (keylogging), and display fake pop-ups. The stolen data is transmitted to the C2 server, where attackers can use it for further attacks.
The old version of CHAVECLOAK was also fixed, which differs in the method of distribution and actions after infection. The "legacy" version contains a Delphi executable that implements the final load, and uses PowerShell commands to bypass Windows Defender protection.
The appearance of the CHAVECLOAK Trojan underscores the growing threat level in the financial sector, especially among users in Brazil. Trojans like CHAVECLOAK require constant attention and proactive security measures to protect against evolving threats in the South American financial sector.
In addition to CHAVECLOAK, other cybercrime campaigns have been recorded in Brazil before. For example, in early February, Kaspersky Lab specialists discovered the Coyote Banking Trojan, targeting users of more than 60 banking institutions, mainly from Brazil. A distinctive feature of this malware is a complex infection chain that uses various advanced technologies, making Coyote stand out among other banking Trojans.
In addition, in January, the Grandoreiro botnet was stopped, as a result of which victims suffered $3.9 million. Most of the victims used Windows, and the largest number of attacks occurred in Brazil, Mexico and Spain.
FortiGuard Labs discovered a new threat to the financial sector in South America. A new malware called CHAVECLOAK aims to steal bank credentials from Brazilian residents.
The Trojan is distributed via an infected PDF file disguised as a contract. The victim is asked to open the file to read and sign documents, but this actually leads to downloading malware. When you open a PDF file, a ZIP archive is downloaded. Next, an MSI file is extracted that contains many text files for different languages, a legitimate executable file, and a malicious DLL library that is loaded using the DLL Sideloading method.
The CHAVECLOAK infection chain
The CHAVECLOAK Trojan disguised as "Lightshot.dll", starts its work by collecting information about the system, sets itself to autoload, and sends requests to the Command and Control server (C2). If the victim is located in Brazil, the program activates monitoring of the active window and starts collecting usernames and passwords when the window of the banking system or cryptocurrency platform is detected. In particular, the Trojan is trying to identify connections to Mercado Bitcoin — a large crypto exchange with traditional banking functions.
CHAVECLOAK also includes the ability to lock the victim's screen, register keystrokes (keylogging), and display fake pop-ups. The stolen data is transmitted to the C2 server, where attackers can use it for further attacks.
The old version of CHAVECLOAK was also fixed, which differs in the method of distribution and actions after infection. The "legacy" version contains a Delphi executable that implements the final load, and uses PowerShell commands to bypass Windows Defender protection.
The appearance of the CHAVECLOAK Trojan underscores the growing threat level in the financial sector, especially among users in Brazil. Trojans like CHAVECLOAK require constant attention and proactive security measures to protect against evolving threats in the South American financial sector.
In addition to CHAVECLOAK, other cybercrime campaigns have been recorded in Brazil before. For example, in early February, Kaspersky Lab specialists discovered the Coyote Banking Trojan, targeting users of more than 60 banking institutions, mainly from Brazil. A distinctive feature of this malware is a complex infection chain that uses various advanced technologies, making Coyote stand out among other banking Trojans.
In addition, in January, the Grandoreiro botnet was stopped, as a result of which victims suffered $3.9 million. Most of the victims used Windows, and the largest number of attacks occurred in Brazil, Mexico and Spain.
