Malvertising Campaign Targets Brazil’s PIX Payment System with GoPIX Malware

Malvertising Campaign Targets Brazil's PIX Payment System with GoPIX Malware

October 25, 2023 at 05:45AM

The PIX instant payment system in Brazil has become a target for threat actors using a new malware called GoPIX. The attacks occur through malicious ads that appear when users search for “WhatsApp web” on search engines. The malware hijacks payment requests and replaces them with attacker-controlled strings. Similar campaigns targeting messaging apps have been observed in Hong Kong. Additionally, a new version of the Brazilian banking trojan Grandoreiro is targeting victims in Mexico and Spain. Information stealers, such as Lumar, are also increasing in the cybercrime economy, providing convenient tools for aspiring threat actors.

Key takeaways from the meeting notes are as follows:

1. Brazil’s PIX instant payment system has become a target for threat actors using a new malware called GoPIX. Kaspersky has been tracking this active campaign since December 2022.

2. The attacks are carried out through malicious ads that appear when users search for “WhatsApp web” on search engines. Users who click on these ads are redirected to a malware landing page.

3. The malicious ads use a cloaking service to filter out sandboxes and bots, targeting genuine victims.

4. The malware can be downloaded from different URLs depending on whether port 27275 is open on the user’s machine. If the port is closed, an NSIS installer package is directly downloaded. This bypasses security software.

5. The main purpose of the installer is to retrieve and launch the GoPIX malware, which functions as a clipboard stealer. It hijacks PIX payment requests and replaces them with attacker-controlled PIX strings.

6. Similar campaigns have been observed targeting users searching for messaging apps like WhatsApp and Telegram on search engines. These campaigns use fraudulent ads and pages to gain access to users’ accounts and personal information.

7. A new version of the Brazilian banking trojan, Grandoreiro, is targeting victims in Mexico and Spain. This indicates a trend of Latin American-focused malware expanding their reach to Europe.

8. Information stealers, such as the newly advertised Lumar malware, are flourishing in the cybercrime economy. These tools make it easier for aspiring threat actors to conduct attacks, even without technical expertise.

9. The emerging malware is often advertised and distributed on the dark web through malware-as-a-service (MaaS) offerings, allowing authors to quickly profit and pose a threat to legitimate organizations.

10. The meeting notes suggest following the company’s Twitter and LinkedIn accounts for more exclusive content.

Full Article