HomesecurityTedrade banking trojans target banking customers worldwide!

Tedrade banking trojans target banking customers worldwide!

Kaspersky researchers analyzed four different families of Brazilian banking trojans, named Tedrade, which have targeted banks in Europe, Brazil and Latin America. Researchers believe that these four families of Tedrade banking trojans have names Guildma, Javali, Melcoz and Grandoreiro, come from a Brazilian banking group that is developing its capabilities, targeting banking customers. Brazilian cybercrime focuses mainly on the development and commercialization of banking trojans.

The first of the Tedrade banking trojans, with the name Guildma, has been at the forefront of threats since at least 2015, having initially been observed in attacks aimed exclusively at Brazilian banking customers. The malicious code is constantly updated, having been reinforced with new ones possibilities, while the team behind this malware is expanding its list of targets over time. In addition, its operators malware have shown that they are well aware of the legal tools they use so that the threat is not easily detectable.

Kaspersky researchers have found that Guildma is widely distributed through downloads e-mail containing a malicious file in compressed format. File types vary from Visual Basic Script to LNK. Most of them Phishing emails are in the form of requests supposedly coming from businesses, packages sent by courier, while these emails often have as their subject the pandemic of COVID-19:. Emails always seem to be sent by companies and organizations.

Tedrade banking trojans

The Boar malware has been active since November 2017, targeting mainly customers of banks located in Brazil and Mexico. Both Guildma and Javali perform multi-stage attacks and propagate via phishing email, using compressed attachments (eg .VBS, .LNK) or an HTML file that runs Javascript to download a malicious file. The researchers also noticed that the malware uses the BITSAdmin tool to download additional modules. Operators use this tool to avoid detection, as this tool is included in the operating system Windows. Also, malware exploits alternative feeds data NTFS to hide the presence of received payloads, while also using DLL Search Order Hijacking to start binary malware programs.

According to the researchers, the payloads are stored encrypted in the file system and are decrypted in memory as they are executed. The final payload installed on the system will monitor users' activities, such as open websites and application execution, and will also check if they are on the target list. When a target is detected, the module is executed, giving them hacker control of banking transactions. Once the final payload is installed on the destination system, it monitors specific banking sites. When the victim opens these sites, the hackers will gain control of any financial transaction carried out by that user.

Concerning the Melcoz, is an open source RAT developed by a team operating in Brazil at least since 2018, and has now expanded to other countries, including Chile and Mexico. Melcoz can steal passwords from browsers and information from the Bitcoin clipboard and wallets, replacing the original wallet information with those under the intruder's control. The attack begins with sending phishing emails containing a link to a downloadable MSI installer. VBS scripts in Setup Package (.MSI) files download the malware software then abuse the AutoIt interpreter and VMware NAT service to load the malicious DLL into the destination system.


The code monitors browser activity, searching for online banking sessions. Once detected, the malware allows the attacker to display an overlay window in front of the victim's browser to manipulate its session. In this way, the "fraudulent" transaction is carried out by the victim's device, making it more difficult to detect anti-fraud solutions. Malicious code could also steal information related to a banking transaction, including a one-time password.

The latest family of Tedrade malware, named Grandoreiro, has been active since 2016, participating in a campaign that spread to banks in Brazil, Mexico, Portugal and Spain. The malware is hosted on pages Google Sites and spread through infringing websites and Google Ads, while attackers distribute it via phishing email, as they do with the other three Tedrade malware families. The researchers noticed that it uses a creation algorithm domain (DGA) to hide the C2 address used during the attack.


Brazilian scammers are expanding their network of associates to expand to other countries' banks, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware. Tedrade banking trojans try to take the lead using DGA, encrypted payload, DLL hijacking, many LoLBins, fileless infections and other "tricks" to prevent their detection and analysis by banks. These threats are expected to evolve, targeting banks in even more countries.

Every accomplishment starts with the decision to try.