Cybersecurity Threats Targeting Major Banks in Brazil

Cybersecurity threats targeting major banks in Brazil have escalated with the emergence of a new malware known as Maverick, which hijacks browser sessions to compromise financial information. According to The Hacker News, Maverick shows similarities to an earlier malware called Coyote, both of which are developed in .NET and specifically target Brazilian users and banking institutions.

The report from CyberProof indicates that Maverick is spread through WhatsApp, using a self-propagating component identified as SORVEPOTEL, which delivers a ZIP file containing the Maverick payload via the desktop web version of the messaging app.

Once executed, Maverick monitors browser tabs for URLs of financial institutions, establishing contact with remote servers to gather system information and deploy phishing pages aimed at stealing user credentials.

Sophos highlights the possibility that Maverick could represent an evolution of the Coyote malware, while Kaspersky treats it as a separate threat but notes significant code similarities. The ZIP file contains a Windows shortcut that executes a command to download the payload, which is only installed if the victim's system is confirmed to be located in Brazil.

This location check includes evaluating the time zone, language settings, and date formats. The report further reveals that the malware targets not just banks but potentially expands to hotels in Brazil, indicating a broader threat landscape.

Trend Micro elaborates on the operational tactics of the threat actor Water Saci, detailing an advanced command-and-control infrastructure that allows real-time management of infected machines. This sophisticated system enables the malware to operate stealthily, controlling compromised devices much like a botnet.

The infection process begins when a user extracts the ZIP file, triggering a Visual Basic Script downloader that takes over the victim's WhatsApp Web session and disseminates the malicious files to contacts.

This method bypasses traditional authentication mechanisms, allowing attackers immediate access without requiring QR code scanning. The extensive use of WhatsApp in Brazil, with over 148 million active users, amplifies the impact of this campaign.

The report concludes that the aggressive nature of these attacks signifies a notable shift in the modus operandi of banking trojans, moving towards leveraging legitimate software and communication platforms to execute large-scale cyber attacks.

As a result, the banking sector must enhance security measures to protect sensitive customer data from these evolving threats.