March 11, 2024 at 10:51AM
A new banking trojan called CHAVECLOAK targets users in Brazil via phishing emails with PDF attachments. The attack involves deceptive DocuSign lures leading to an installer file, which installs CHAVECLOAK malware. This sophisticated malware steals sensitive information, monitors financial portals, and connects to a command-and-control server. Additionally, a mobile banking fraud campaign is ongoing in the U.K., Spain, and Italy using smishing and vishing tactics to deploy Android malware Copybara. Threat actors centralize phishing campaigns using a web panel named ‘Mr. Robot’ and orchestrate tailored attacks on financial institutions with phishing kits. Additionally, TeaBot campaign infiltrated the Google Play Store using PDF reader apps.
Key takeaways from the meeting notes:
– A new banking trojan named CHAVECLOAK is targeting users in Brazil. It is propagated through phishing emails containing PDF attachments and uses DLL side-loading techniques.
– The trojan employs contract-themed DocuSign lures to trick users into opening PDF files that contain a button to read and sign documents.
– Clicking the button leads to the retrieval of an installer file from a remote link, which contains the CHAVECLOAK malware named “Lightshot.exe.”
– The malware steals sensitive information, including system metadata, and monitors user access to specific financial portals in Brazil.
– The malware facilitates actions such as logging keystrokes, displaying deceptive pop-up windows, and intercepting SMS messages.
– There is also a Delphi variant of CHAVECLOAK, indicating the prevalence of Delphi-based malware targeting Latin America.
– Additionally, an ongoing mobile banking fraud campaign is targeting the U.K., Spain, and Italy using smishing and vishing tactics to deploy an Android malware called Copybara.
– This campaign involves a C2 framework to orchestrate tailored attacks on financial institutions using phishing kits and anti-detection methods.
– The phishing kit captures retail banking customer credentials and phone numbers, sending the details to a Telegram group.
This information underscores the evolving landscape of cyberthreats targeting the financial sector, especially focusing on users in Brazil. Additionally, it highlights the growing sophistication of on-device fraud schemes, as evidenced by the TeaBot campaign’s infiltration of the Google Play Store.