New Banking Trojan “CHAVECLOAK” Targets Brazil

FortiGuard Labs found a threat using a harmful PDF to spread the CHAVECLOAK banking Trojan. The attack involves the PDF downloading a ZIP file and then using DLL side-loading to run the malware. CHAVECLOAK targets Brazilian users to steal financial information. Figure 1 shows the detailed flow of this cyber threat.

Banking trojans in South America use various tactics, like phishing emails, malicious attachments, and manipulating web browsers. Some examples are Casbaneiro (Metamorfo/Ponteiro), Guildma, Mekotio, and Grandoreiro. These trojans focus on stealing online banking credentials and personal information, which poses a major threat to users in countries like Brazil and Mexico. Figure 2 shows the telemetry of CHAVECLOAK’s Command and Control (C2) server.

Initial Vector PDF:

Figure 3 shows a PDF that allegedly contains contract-related documents with Portuguese instructions. The PDF prompts users to click a button to read and sign the attached documents. However, there is a hidden malicious downloader link in the PDF’s stream object, as revealed in Figure 4. This URL undergoes processing via the free link shortening service “Goo.su,” ultimately leading to a redirect at hxxps://webattach.mail.yandex.net/message_part_real/NotaFiscalEsdeletronicasufactrub66667kujhdfdjrWEWGFG09t5H6854JHGJUUR[.]zip for downloading the ZIP file. Upon decompression, the file yields the MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi.”

Upon decompressing the MSI installer, researchers found additional files including TXT files for different languages, a legitimate execution file, and a suspicious DLL named “Lightshot.dll” with a more recent modified date compared to other files.

Examining the MSI installer reveals its entire configuration, which is written in Portuguese. It executes the file “Lightshot.exe,” extracting and depositing files at “%AppData%\Skillbrains\lightshot\5.5.0.7,” as shown in Figure 6.

The file “Lightshot.exe” uses DLL sideloading to run the malicious “Lightshot.dll” discreetly, allowing unauthorized activities like data theft. This technique poses a significant security threat by letting malware exploit legitimate processes for harmful purposes without being detected. To read out the full report click here.

Source: FortiGuard Labs