Skip to content Skip to footer

A recent banking trojan named CHAVECLOAK is focusing on Brazilian users by using phishing methods.

Cybersecurity researchers at FortiGuard Labs have identified a new banking targeting users in Brazil. The , CHAVECLOAK, is being distributed through phishing emails containing attachments. According to Cara Lin, a researcher at FortiGuard Labs, the uses DLL side-loading techniques to execute the final malware. The attack chain starts with DocuSign lures that trick users into opening files containing a button to read and sign documents. However, clicking the button retrieves an installer file from a shortened URL. The installer file contains an executable named “Lightshot.exe” that loads the CHAVECLOAK malware, which steals sensitive information such as system metadata and checks to determine if the compromised machine is located in Brazil.

If the compromised machine is located in Brazil, the malware monitors the foreground window for bank-related strings and establishes a connection with a C2 server to exfiltrate information. The malware also allows the attacker to block the victim's screen, log keystrokes, and display deceptive pop-up . In addition to this, researchers have also discovered a Delphi variant of CHAVECLOAK that highlights the prevalence of Delphi-based malware targeting Latin America.

This discovery comes amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that uses smishing and vishing tactics to deploy an malware called Copybara. The attackers use a centralized web panel called “Mr. Robot” to manage multiple phishing campaigns against financial institutions. The panel also allows for tailored attacks using phishing kits that mimic the targeted entity's user interface and employ anti-detection methods through geofencing.

Users must be cautious when opening emails from unknown senders and avoid clicking on suspicious links or downloading attachments from untrusted sources. Additionally, it is recommended to keep anti-virus software up to date and to regularly scan systems for any signs of malware or suspicious activity.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

There is no right and wrong. There's only fun and boring.The Plague

Deitasoft © 2024. All Rights Reserved.