High-end banking malware hits Brazil

Brazil just can’t catch a break. We’ve already seen flesh-eating bacteria in the water, athletes getting robbed on the streets, and police officers holding up a “welcome to hell” sign at the airport. Plus a wide variety of cybercrime, including phishing attacks and credit card skimming machines.

Now the criminals are getting even more sophisticated. In the past two weeks, IBM’s X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda, according to a new report.

“This is considered sophisticated malware, and this kind of sophistication is not typical for Brazil,” said Limor Kessem, executive security advisor for IBM Security. “This is definitely a step up from what we usually see in Brazil.”

Brazilian malware is typically scripts or browser extensions, not a complex modular software product like Zeus, she said.

The way that it works is that both strains of malware target Brazilian computer users, then wait for the users to access their online banking or payments accounts. They then intercept the communications, modify the websites, steal credentials, and redirect the payments.

It is likely that the attackers are based in Brazil or have local partners, she said.

The malware communicates back to central command-and-control servers to download customized configuration files, she explained. In these two cases, the files have been customized to attack three major Brazilian banks and a Brazilian payment system, as well as one bank in Colombia.

Adding a new banking target requires the the attackers create a social engineering injection that precisely mimics a bank’s look and feel and requires an understanding of the bank’s authentication methods.

“They are able to manipulate what the persons sees when they visit the page,” Kessem said. “For example, in addition to a login and password, they might also ask for a Social Security number and their mother’s maiden name.”

This is where local knowledge comes in handy.

“In the past, a lot of times, cybercriminals going after countries where they don’t speak the language would have a lot of spelling mistakes, and that would be a sign that something isn’t right,” she said. “Now that they collaborate with people who are local, they have more of an ability to say the right things in the right way, and have more knowledge of how that bank works and have a better chance of defrauding accounts.”

As a result, adding a new target becomes fairly easy, she said. All the criminals have to do is modify the configuration file. “It’s fairly easy to do and criminals can do that at any time.”

The core source is the same for both Panda and Sphinx, and both are based on the Zeus source code that was leaked in 2011 and has become a popular base for commercial malware sold on underground boards, she said.

Zeus Panda is extremely localized, she said. In addition to local banks, it targets a supermarket that delivers food, a police agency, and a Bitcoin exchange.

The Bitcoin exchange is probably being used to help the criminals launder their ill-gotten gains, Kessem suggested.

Zeus Sphinx targets Brazilian banks as well, but also goes after the popular Boleto Bancário payment platform, which allows users to go online and send money orders.

Sphinx first emerged a year ago, first attacking banks in Australia and the U.K.

Kessem did not have any data about how much financial damage these attackers are causing Brazil. In 2014, however, RSA issued a report that a Boleto malware fraud ring had compromised nearly $4 billion worth of transactions over the previous two years.

IBM currently monitors 270 million endpoints worldwide, Kessem said. After spotting the malware, the company notified the targeted institutions and local law enforcement authorities.

She declined to name the specific institutions targeted by the malware.