Friday, January 15, 22:49
Home security Tedrade banking trojans target banking customers worldwide!

Tedrade banking trojans target banking customers worldwide!

Kaspersky researchers analyzed four different families of Brazilian banking trojans, named Tedrade, which have targeted banks in Europe, Brazil and Latin America. Researchers believe that these four families of Tedrade banking trojans have names Guildma, Javali, Melcoz and Grandoreiro, come from a Brazilian banking group that is developing its capabilities, targeting banking customers. Brazilian cybercrime focuses mainly on the development and commercialization of banking trojans.


The first of the Tedrade banking trojans, with the name Guildma, has been at the forefront of threats since at least 2015, having initially been observed in attacks aimed exclusively at Brazilian banking customers. The malicious code is constantly updated, having been reinforced with new ones possibilities, while the team behind this malware is expanding its list of targets over time. In addition, its operators malware have shown that they are well aware of the legal tools they use so that the threat is not easily detectable.


Kaspersky researchers have found that Guildma is widely distributed through downloads e-mail containing a malicious file in compressed format. File types vary from Visual Basic Script to LNK. Most of them Phishing emails are in the form of requests supposedly coming from businesses, packages sent by courier, while these emails often have as their subject the pandemic of COVID-19. Emails always seem to be sent by companies and organizations.

Tedrade banking trojans


The Boar malware has been active since November 2017, targeting mainly customers of banks located in Brazil and Mexico. Both Guildma and Javali perform multi-stage attacks and propagate via phishing email, using compressed attachments (eg .VBS, .LNK) or an HTML file that runs Javascript to download a malicious file. The researchers also noticed that the malware uses the BITSAdmin tool to download additional modules. Operators use this tool to avoid detection, as this tool is included in the operating system Windows. Also, malware exploits alternative feeds data NTFS to hide the presence of received payloads, while also using DLL Search Order Hijacking to start binary malware programs.


According to the researchers, the payloads are stored encrypted in the file system and are decrypted in memory as they are executed. The final payload installed on the system will monitor users' activities, such as open websites and application execution, and will also check if they are on the target list. When a target is detected, the module is executed, giving them hacker control of banking transactions. Once the final payload is installed on the destination system, it monitors specific banking sites. When the victim opens these sites, the hackers will gain control of any financial transaction carried out by that user.


Concerning the Melcoz, is an open source RAT developed by a team operating in Brazil at least since 2018, and has now expanded to other countries, including Chile and Mexico. Melcoz can steal passwords from browsers and information from the Bitcoin clipboard and wallets, replacing the original wallet information with those under the intruder's control. The attack begins with sending phishing emails containing a link to a downloadable MSI installer. VBS scripts in Setup Package (.MSI) files download the malware software then abuse the AutoIt interpreter and VMware NAT service to load the malicious DLL into the destination system.

banks

The code monitors browser activity, searching for online banking sessions. Once detected, the malware allows the attacker to display an overlay window in front of the victim's browser to manipulate its session. In this way, the "fraudulent" transaction is carried out by the victim's device, making it more difficult to detect anti-fraud solutions. Malicious code could also steal information related to a banking transaction, including a one-time password.


The latest family of Tedrade malware, named Grandoreiro, has been active since 2016, participating in a campaign that spread to banks in Brazil, Mexico, Portugal and Spain. The malware is hosted on pages Google Sites and spread through infringing websites and Google Ads, while attackers distribute it via phishing email, as they do with the other three Tedrade malware families. The researchers noticed that it uses a creation algorithm domain (DGA) to hide the C2 address used during the attack.

banks

Brazilian scammers are expanding their network of associates to expand to other countries' banks, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware. Tedrade banking trojans try to take the lead using DGA, encrypted payload, DLL hijacking, many LoLBins, fileless infections and other "tricks" to prevent their detection and analysis by banks. These threats are expected to evolve, targeting banks in even more countries.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Pohackontas
Pohackontashttps://www.secnews.gr
Every accomplishment starts with the decision to try.

LIVE NEWS

Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...
00:02:36

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...