Malware News Free real estate: GoPix, the Win64 banking Trojan living off your memory

[Khushal]

Content source

https://securelist.com/gopix-banking-trojan/119173/

GoPix is an advanced persistent threat targeting Brazilian financial institutions’ customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automated Transfer System (ATS) threats that were used in other malware campaigns into a unique threat never seen before. Operating as a LOLBin (Living-off-the-Land Binary), GoPix exemplifies a sophisticated approach that integrates malvertising vectors via platforms such as Google Ads to compromise prominent financial institutions’ customers.

GoPix banking Trojan targeting Brazilian financial institutions

Kaspersky GReAT experts describe the unprecedentedly complex Brazilian banking Trojan GoPix that employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks, and malvertising via Google Ads.

securelist.com

 

[Bot]

This is a useful report, and the “memory-only + PowerShell + LOLBin” combination is exactly the kind of tradecraft that makes banking malware harder to spot with simple file-based checks.

What stands out in this case

• It appears to target Brazilian banking and cryptocurrency users specifically.
• The use of obfuscated PowerShell and in-memory execution can reduce obvious disk artifacts.
• Abuse of legitimate Windows components fits the classic “living-off-the-land” pattern, which often blends malicious activity into normal system behavior.
• The reported Google Ads / malvertising angle is important because it targets users before they even reach the legitimate service.

Why this matters

Traditional detection is often strongest when malware drops a clear executable to disk. Threats that rely on script execution, LOLBins, and memory-resident components can be more difficult to catch with basic signature-based methods alone.

That does not mean they are invisible, but it does mean defenders usually need layered protection, such as:

• Behavior monitoring / EDR-style detection
• PowerShell logging where appropriate
• Attack surface reduction rules
• Browser and ad hygiene
• Strong banking-session protections

Practical defensive takeaways

• Avoid clicking sponsored search results for banking, crypto, or payment platforms when possible. Type the known URL manually or use a trusted bookmark.
• Keep Windows, browsers, and security software fully updated.
• If PowerShell is not needed in a given environment, restricting or auditing its use can reduce risk.
• Use reputable security software that includes behavior-based detection, not just static signatures.
• For financial activity, enable MFA and verify transactions independently whenever possible.
• Organizations should review script execution policies, monitor LOLBin abuse, and harden endpoints against malvertising-driven initial access.

One caution on wording

The phrase “unique threat never seen before” is often partly marketing language in public reporting. The campaign may indeed have novel elements, but the underlying techniques such as PowerShell abuse, memory-resident payloads, and LOLBins are established attacker methods. The real value is in the specific combination, targeting, delivery chain, and operational workflow described in the report.

Bottom line

If the Securelist analysis is accurate, GoPix is a strong example of modern banking malware shifting away from obvious dropped binaries and toward stealthier, script-driven, in-memory execution. For users, the biggest immediate lesson is to avoid sponsored search links for financial services. For defenders, the priority is layered detection and visibility into scripting and LOLBin abuse.

Source

• GoPix banking Trojan targeting Brazilian financial institutions

 

[Parkinsond]

Initial infection is achieved through malvertising campaigns

A good adblocker would abort the attack.

 

[Captain Awesome]

A good adblocker would abort the attack.

Adguard, Next DNS, Ublock Origin
Android - RethinkDNS

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
Telemetry from the provided Securelist report proves GoPix is a memory-only banking Trojan delivered via Google Ads malvertising that checks for Avast Safe Banking on port 27275 to determine its payload format (NSIS vs. ZIP/LNK). The malware achieves HTTPS interception by injecting a rogue Root CA ("CN=Root CA 2024" or "CN=Root CA 2025") into the browser and routing traffic through a malicious Proxy AutoConfig (PAC) file.

Assessment
The structure resembles an advanced persistent threat campaign specifically tailored to bypass standard financial security controls, effectively weaponizing legitimate anti-fraud APIs to pre-qualify targets and evade analysis sandboxes

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.002
(Phishing: Spearphishing Link) via Malvertising.

T1059.001
(Command and Scripting Interpreter: PowerShell) for memory-only staging.

T1055
(Process Injection) via direct syscalls into suspended browser processes.

T1553.004
(Install Root Certificate) to intercept HTTPS communications.

T1090
(Proxy) via PAC file manipulation.

T1115
(Clipboard Data) to hijack Boleto slips, Pix transactions, and Crypto wallets.

CVE Profile
No CVE (LOLBin/Malvertising)
CISA KEV Status: Inactive

Telemetry

Hashes EB0B4E35A2BA442821E28D617DD2DAA2 (NSIS)

D3A17CB4CDBA724A0021F5076B33A103 (Dropper)

28C314ACC587F1EA5C5666E935DB716C
(Main payload)

Domains
paletolife[.]com correioez0ubcfht9i3[.]lovehomely[.]com
mydigitalrevival[.]com

Registry Keys SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths.

Certificates
NSIS Installer signed by "PLK Management Limited".

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue immediate employee advisories regarding Google Ads malvertising targeting WhatsApp Web and Chrome downloads.

Command
Revoke trust in the code-signing certificate issued to "PLK Management Limited" within endpoint security policies.

DETECT (DE) – Monitoring & Analysis

Command
Deploy EDR hunting queries for PowerShell executing NetWebClient.UploadString without disk artifacts.

Command
Monitor endpoints for unauthorized local connections checking WebSocket port 27275.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any endpoint resolving DNS queries to known GoPix C2 infrastructure (e.g., paletolife[.]com).

Command
Perform memory forensics on Explorer.exe and browser processes to locate DLLs with zeroed MZ signatures.

RECOVER (RC) – Restoration & Trust

Command
Reimage infected hosts entirely due to the stealthy installation of rogue Root Certificates and memory-resident implants.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Comman
Implement DNS-level blocking for untrusted ad networks.

Command
Restrict standard user rights to install new Root Certificate Authorities via GPO.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you recently downloaded software (like WhatsApp or Chrome) from a sponsored search engine ad.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset all financial passwords and check cryptocurrency wallets using a known clean device (e.g., a mobile phone on a cellular network).

Priority 3: Persistence

Command
Open the Windows Certificate Manager (certmgr.msc) and delete any Root Certificates named "CN=Root CA 2024" or "CN=Root CA 2025".

Command
Check Windows proxy settings to ensure no malicious PAC script is configured to route your traffic.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Enforce PowerShell Constrained Language Mode).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Securelist / Kaspersky GReAT