Malware descriptions

Brazilian Masquerade

What do you see here?

A free AV product protecting a Windows XP machine, right?

No, actually its malware a Brazilian Trojan banker coming via email and then using a masquerade to stay in the system. The malware is 386Kb only, written in Delphi, and comes via an email together with a bunch of many other malicious and non-malicious files.

If the victim clicks on the system tray icon, he will get this message:

(Translation: Your Avast! Antivirus is
being updated, wait.)

In some combinations it also shows messages like this one:

(Translation: Avast! antivirus: Attention, your system is protected)

Why do cybercriminals use such a method to hide their malware in the system? Google trends shows that Avast is the most popular AV in
Brazil. And my experience of life in Latin America shows that people still dont want to pay when there is something free.

Before dropping the mentioned fake Avast product, another module, based on the anti-rootkit product Avenger, tries to remove the
following legitimate AV products from the system if they are installed: AVG, McAfee, Panda, Nod32, Kaspersky, Bitdefender, Norton, Microsoft Security Essentials, PSafe, Avira and Avast.

There are many malicious files used in the same campaign. They have different roles and are detected by Kaspersky Anti-virus as Trojan.Win32.Delf.ddir, Trojan.Win32.ChePro.aov, Trojan.Win32.ChePro.anv, Trojan-Banker.Win32.Delf.apg, not-a-virus:RiskTool.Win32.Deleter.i, Trojan-Banker.Win32.Agent.jst and Trojan.Win32.Delf.ddiq

Looks like cybercriminals from Brazil think this way: “Why to fight AV detections? Sometimes it’s too complicated. Let’s just
better replace them with our own fake solutions and everybody gets happy

Last, but not least, in addition to malware related to the mentioned campaign, we see more and more Trojan Bankers from Brazil coming
with fake descriptions, pretending to be modules of different AV products. Heres one example:

Follow me on twitter @dimitribest

Brazilian Masquerade

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox