Researchers detail Tetrade family of Brazilian banking trojans

Researchers predict banking trojans will continue to evolve and take on new targets

Trojan virus

Cybersecurity researchers from Kaspersky detailed four Brazilian banking trojans targeting financial institutions in Brazil, Latin America and Europe. Dubbed the Tetrade by researchers, the malware family includes Guildma, Javali, Melcoz and Grandoreiro banking trojans. 

Per the report, Guildma has added a host of new features to its campaigns since its inception in 2015. By using phishing emails with compressed email attachments, Guildma can hide malicious payloads and HTML files designed to execute JavaScript code. 

Once executed, Guildma downloads the HTML file and uses a legitimate command-line tool such as BITSAdmin to retrieve modules. Guildma also uses NTFS alternate data streams to conceal downloaded payloads and DLL search order hijacking to launch the malware. 

Once installed, the final payload monitors for specific bank websites. When the victim opens a specific bank website, threat actors can then execute financial transactions using the victim's computer. Though Guildma has targeted banking users in Brazil in the past, the campaign has since broadened its reach by attacking banking users in Latin America.

Much like Guildma, Javali uses a multi-stage malware deployment process to dupe its victims. Using phishing emails to distribute its initial payload, Javali emails include a file for a Microsoft installer along with an embedded Visual Basic script that downloads the final malicious payload from a remote C2. By using DLL sideloading and obfuscation techniques, Javali can hide its malicious activities.

Melcoz, another trojan app within the Tetrade family, has been linked to a string of attacks in Chile and Mexico since 2018. A variant of the open-source RAT remote access PC, Melcoz uses VBS scripts in installer package files to download the malware and can steal passwords from a user’s memory and browser. It can also steal a user’s Bitcoin wallet and replace the user’s wallet information with hacker’s banking information.

Kaspersky researchers also identified Grandoreiro campaigns targeting Brazil, Mexico, Portugal and Spain since 2016. Hosted on Google Sites pages, Grandoreiro is delivered via compromised websites, Google ads or by using spear-phishing methods. Grandoreiro also uses a domain generation algorithm to hide the C2 address used during the attack.

“Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers,” said researchers. 

“Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions,” they continued.

Guildma, Javali, Melcoz and Grandoreiro are all examples of Brazilian banking operations targeting users in multiple countries. Unfortunately, researchers predict these threats will continue to evolve and take on new targets in additional countries.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is a Trojan?
Security

What is a Trojan?

14 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020

Most Popular

Microsoft CEO warns of video call fatigue
video conferencing

Microsoft CEO warns of video call fatigue

7 Oct 2020
Raspberry Pi Compute Module 4 launches with PCIe support
Hardware

Raspberry Pi Compute Module 4 launches with PCIe support

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020