New Banking Trojan CHAVECLOAK Targets Brazilian Users via Phishing Tactics

A new banking trojan dubbed CHAVECLOAK is targeting users in Brazil through phishing emails containing PDF attachments.

This sophisticated attack involves the PDF file downloading a ZIP archive and then using DLL side-loading techniques to execute the final malware, according to Fortinet FortiGuard Labs researcher Cara Lin.

The attack begins with phishing emails using contract-themed DocuSign lures to deceive users into opening PDF files containing a button to read and sign documents. However, clicking the button triggers the retrieval of an installer file from a remote link, which is shortened using the Goo.su URL shortening service.

The installer contains an executable named "Lightshot.exe" that uses DLL side-loading to load "Lightshot.dll," the CHAVECLOAK malware responsible for stealing sensitive information. This includes gathering system metadata, checking if the compromised machine is in Brazil, and monitoring the foreground window against a predefined list of bank-related strings.

If a match is found, the malware establishes a connection with a command-and-control (C2) server and proceeds to harvest various types of information, sending them to different endpoints on the server based on the financial institution.

"The malware enables various actions to steal a victim's credentials, such as blocking the victim's screen, logging keystrokes, and displaying deceptive pop-up windows," Lin explained.

Furthermore, the malware actively monitors the victim's access to specific financial portals, including various banks and Mercado Bitcoin, covering both traditional banking and cryptocurrency platforms.

Fortinet also uncovered a Delphi variant of CHAVECLOAK, underscoring the prevalence of Delphi-based malware targeting Latin America.

The emergence of the CHAVECLOAK banking Trojan highlights the shifting landscape of cyber threats targeting the financial sector, with a particular emphasis on users in Brazil," Lin concluded.

These findings come in the midst of an ongoing mobile banking fraud campaign targeting the U.K., Spain, and Italy. This campaign involves the use of smishing and vishing tactics (SMS and voice phishing) to distribute an Android malware known as Copybara. The ultimate goal is to conduct unauthorized banking transfers to a network of bank accounts operated by money mules.

"Threat actors have been observed employing a structured approach to manage all ongoing phishing campaigns through a centralized web panel called 'Mr. Robot,'" stated Cleafy in a report published last week.

"With this panel, threat actors can activate and oversee numerous phishing campaigns targeting various financial institutions according to their requirements."

The command-and-control (C2) framework also enables attackers to orchestrate customized attacks on specific financial institutions using phishing kits designed to replicate the user interface of the targeted entity. Additionally, they employ anti-detection techniques such as geofencing and device fingerprinting to restrict connections solely from mobile devices.

The phishing kit – which serves as a fake login page – is responsible for capturing retail banking customer credentials and phone numbers and sending the details to a Telegram group.

Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.

It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android's accessibility services, and intercepting SMS messages.

Additionally, JOKER RAT comes equipped with an APK builder, allowing users to tailor the rogue app's name, package name, and icons to their preferences.

"Another notable feature within the panel is the 'Push Notification,' likely utilized to dispatch fake push notifications to infected devices. These notifications mimic legitimate bank notifications, enticing users to open the bank's app, thereby enabling the malware to harvest credentials," explained Cleafy researchers Francesco Iubatti and Federico Valentini.

The increasing complexity of on-device fraud (ODF) schemes is further underscored by a recently uncovered TeaBot (also known as Anatsa) campaign, which successfully infiltrated the Google Play Store disguised as PDF reader apps.

"This application acts as a dropper, facilitating the deployment of a banking trojan from the TeaBot family through multiple stages," Iubatti noted. "Before downloading the banking trojan, the dropper employs sophisticated evasion techniques, including obfuscation and file deletion, along with various checks regarding the victim countries."