Bringing cybersecurity globally to critical and complex key activities
Alias: Grandoreiro Operator, Guildma / Astaroth Operator, Javali Operator, Melcoz Operator, TETRADE
Brazilian cybercrime was oriented until 2011 against its compatriots before going international. The analysis of the malware that makes up this threat led to name TETRADE 4 malware families, believing that they are the result of a Brazilian banking group / operation that is evolving its capabilities by targeting banking users abroad:
GUILDMA (aka Astaroth) :
2015: Spread primarily through phishing emails disguised as legitimate business communications or notifications.
Acquisition of several new evasion techniques, making it difficult to detect.
2019, malicious payload is hidden in victim's system with the help of special file format.
Storage of its communication with the control server in an encrypted format on the Facebook and YouTube pages. THEREFORE difficulty in detecting communication traffic as malicious and since no antivirus is blocking either of these websites, it ensures that the controlling server can execute commands without interruption.
GRANDEIRO
2016 - First present in Brazil, it extended its attacks in Latin America then in Europe.
Among the tetrades, it is the most widespread.
It focuses its efforts on evasion of detection using modular installers.
The malware allows attackers to conduct fraudulent banking transactions by using victims' computers to bypass security measures used by banking institutions.
JAVALI (aka Ousaban)
2017: Uses multistage malware and distributes its initial payload via phishing emails, as an attachment or link to a website. These emails include an MSI (Microsoft Installer) file with an embedded Visual Basic Script that downloads the final malicious payload from a remote C2; it also uses DLL sideloading and several layers of obfuscation to hide its malicious activities from analysts and security solutions.
MELCOZ
2018 - Internationalization of the threat of this malware after having evolved for years in Brazil
New professionally executed, scalable and persistent operations, creating various versions of the malware, with significant infrastructure improvements that allow cybercriminal groups from different countries to collaborate.
The attacks seem to focus on the Latin American victims although casualties from all over the world are possible, the banks being international.
Each campaign runs on its unique identifier, which varies according to the versions and CnCs used.
Brazilian cyber crime is prolific, since then Android malware like Ghimob has appeared, directly linked to GUILDMA. The tetrades are just a small part of the threat from Latin America.
It is impossible to know or recognize who are the groups or individuals behind its malware. It is commonly accepted that there is a community which, although competing, shares a lot of information and infrastructures.
https://securityaffairs.co/wordpress/106126/malware/tetrade-brazilian-banking-troja.html
https://securityaffairs.co/wordpress/110671/cyber-crime/ghimob-banking-trojan.html
https://securelist.com/brazilian-trojans-beyond-borders/30879/
REFERENCES