silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,210
There are two primary characteristics of the Brazilian hacking scene: a focus on Brazil, and the adaptability of the hackers. Very strict money laws make trans-border money movement difficult, ensuring that most targets remain local; and the hackers tend to move on to new targets when the current one becomes too difficult.
Hackers targeting banks are an exception -- banking malware is focused on banks and bank users, and cannot readily be moved to a different type of victim. SentinelOne has now analyzed a new development within perhaps the most prolific Brazilian banking malware, Banload, that highlights the hackers' adaptability. Unable to move to easier targets, they are seeking to make their targets easier.
Banload has been analyzed before by Cybereason (it is one of the few Brazilian malwares to spread out of Brazil, targeting other Spanish-speaking countries including Argentina, Bolivia, Chile, Venezuela and Spain). Even though it has been found elsewhere, ESET reported on April 30, 2019 that 82.9% of its detections are found within Brazil's national borders.
Brazil is the most populous country in South America, making it a rich target for bank fraud. Online banking has been increasing for several years. So, too, has the general level of cyber hygiene among the population, making successful bank fraud more difficult. To counteract this, the hackers have introduced a new component into Banload, known internally as 'FileDelete'. It is a kernel mode driver designed to remove the software drivers and executables of popular anti-malware and banking protection programs.
FileDelete is delivered via PowerShell to the local directory "C:\G DATA Security Software". It is protected by a code signing certificate under the name of M2 AGRO DESENVOLVIMENTO DE SISTEMAS LTDA, signed on March 31, 2019; and it removes software products belonging to AVG, Trusteer Rapport, Avast, and the Bradesco software "scpbrad".
It does this with an irpStack walk via IRP_MJ_SET_INFORMATION... -> FileDispositionInformation-> DeleteFile.
"While the signed driver itself does not appear to be sophisticated," says SentinelOne, "its custom implementation demonstrates that the group behind Banload continues to innovate and adopt newer tools meant for fraud operations while installed on the victim machines."