ATK237

Presumed Origin: Latin America, Brazil < Back

Alias: Grandoreiro Operator, Guildma / Astaroth Operator, Javali Operator, Melcoz Operator, TETRADE

Brazilian cybercrime was oriented until 2011 against its compatriots before going international. The analysis of the malware that makes up this threat led to name TETRADE 4 malware families, believing that they are the result of a Brazilian banking group / operation that is evolving its capabilities by targeting banking users abroad:

 

 

GUILDMA (aka Astaroth) :

 

2015: Spread primarily through phishing emails disguised as legitimate business communications or notifications.

 

Acquisition of several new evasion techniques, making it difficult to detect.

 

2019, malicious payload is hidden in victim's system with the help of special file format.

 

Storage of its communication with the control server in an encrypted format on the Facebook and YouTube pages. THEREFORE difficulty in detecting communication traffic as malicious and since no antivirus is blocking either of these websites, it ensures that the controlling server can execute commands without interruption.

 

 

GRANDEIRO

2016 - First present in Brazil, it extended its attacks in Latin America then in Europe.

 

Among the tetrades, it is the most widespread.

 

It focuses its efforts on evasion of detection using modular installers.

 

The malware allows attackers to conduct fraudulent banking transactions by using victims' computers to bypass security measures used by banking institutions.

 

 

JAVALI (aka Ousaban)

2017: Uses multistage malware and distributes its initial payload via phishing emails, as an attachment or link to a website. These emails include an MSI (Microsoft Installer) file with an embedded Visual Basic Script that downloads the final malicious payload from a remote C2; it also uses DLL sideloading and several layers of obfuscation to hide its malicious activities from analysts and security solutions.

 

 

MELCOZ

2018 - Internationalization of the threat of this malware after having evolved for years in Brazil

 

New professionally executed, scalable and persistent operations, creating various versions of the malware, with significant infrastructure improvements that allow cybercriminal groups from different countries to collaborate.

 

The attacks seem to focus on the Latin American victims although casualties from all over the world are possible, the banks being international.

 

Each campaign runs on its unique identifier, which varies according to the versions and CnCs used.

 

Brazilian cyber crime is prolific, since then Android malware like Ghimob has appeared, directly linked to GUILDMA. The tetrades are just a small part of the threat from Latin America.

 

It is impossible to know or recognize who are the groups or individuals behind its malware. It is commonly accepted that there is a community which, although competing, shares a lot of information and infrastructures.

 

Reference:

 

REFERENCES

Target sector

  • Financial Services

Target countries

Attack pattern

  • T1027 - Obfuscated Files or Information
  • T1036 - Masquerading
  • T1055 - Process Injection
  • T1057 - Process Discovery
  • T1071 - Application Layer Protocol
  • T1083 - File and Directory Discovery
  • T1095 - Non-Application Layer Protocol
  • T1102 - Web Service
  • T1105 - Ingress Tool Transfer
  • T1132 - Data Encoding
  • T1204 - User Execution
  • T1218 - Signed Binary Proxy Execution
  • T1497 - Virtualization/Sandbox Evasion
  • T1555 - Credentials from Password Stores
  • T1566 - Phishing
  • T1573 - Encrypted Channel
  • T1574 - Hijack Execution Flow

Motivation

Malwares

  • Astaroth
  • Ghimob
  • Grandoreiro
  • Guildma
  • Javali
  • Melcoz

Vulnerabilities