This malware is stealing money from banks in Mexico and Brazil – Digitalmunition

News This malware is stealing money from banks in Mexico and Brazil

Published on August 2nd, 2019 📆 | 2673 Views ⚑


This malware is stealing money from banks in Mexico and Brazil

A new variant of malware called Amavaldo was recently detected, targeting bank users especially in Mexico and Brazil. A comprehensive analysis by ethical hacking experts from security firm ESET identified more than 10 new malware families, detecting attacks in other Latin American countries.

According to specialists, these Trojans have
fully identifiable features; for example, they are written in Delphi, include
backdoor functions and use abuse of legitimate files and programs to complete
the infection process, plus they use some algorithms never seen or seen

To get started, hackers use a Windows
executable that presents the victim as a legitimate company software installer;
actually, this tool is used to download Amavaldo malware.
According to ethical hacking experts, campaign operators also resort to the use
of social engineering tactics for the victim to hand over credit card data.

Subsequently, the Trojan monitors the active
windows on the victim’s computer for activity related to banking institutions.
If your search succeeds, the malware deploys a fake pop-up that copies the
contents of the legitimate banking site, which can lead to theft of sensitive

In their research, ESET experts mention that
Amavaldo is a modular malware made up of three distinct components:

Source: ESET
  • A
    copy of a legitimate app
  • An
  • An
    encrypted banking Trojan

When the victim interacts with the malicious
program, all the contents of the ZIP file are saved on the compromised system’s
hard drive. Then:

  • The
    injector is executed via DLL Side-Loading
  • The
    injector injects itself into wmplayer.exe or iexplore.exe
  • The
    injector searches for the encrypted banking Trojan (a file without extension
    whose name matches that of the DLL injector)
  • If
    such a file is found, the injector decrypts and executes the banking Trojan

In addition to being identified as a modular
malware, another important feature of Amavaldo is the use of a custom
encryption scheme. Developers populated the malware code with junk strings that
do not have a function. Ethical hacking specialists created a simplified fake
code to find the algorithm logic. This routine is used by malware and the
download program, which represents unusual behavior.

Source: ESET

Once the infection process is complete,
Amavaldo proceeds to collect some details about the compromised system,

  • Computer
    identification data and operating system version
  • Verification
    for bank protection software
  • Location
    of certain files

In addition, the backdoor features in Amavaldo
allow hackers to perform some malicious tasks like:

  • Taking
  • Intercepting
    photos taken with the webcam
  • Download
    and run other programs
  • Malware

Ethical hacking experts claim that, until a
couple of months ago, the malware had only been detected in Brazil, until
reports of its appearance in Mexico began in May this year.

According to specialists from the International Institute of Cyber Security (IICS) Amavaldo is just one of many newly developed malware families with the ability to extract sensitive information, especially bank details. Users need to remain alert to any phishing attempts, which is regularly the first approach that hackers set to obtain the resources needed to compromise a target system.

(Visited 4 1 times)

Source link

Tagged with:

Leave a Reply ✍