Latin American banks under fire from the Mexican VOlk-Botnet

Latin America has ceased to be a region that simply receives attacks from across the world.

Since late 2009 it has begun to copy fraudulent business models through which American cybercriminals have begun producing their own criminal resources.

Examples include Brazil, with the web application called TELA (to manage the information stolen from zombie computers); or S.A.P.Z. from Peru, used to propagate malicious code designed to steal bank details. But of course, these are not the only ones. Mexico has also joined this list, with different crimeware developments. Tequila and Mariachi crimeware programs started the trend in this region, back in 2009. But the newest is VOlk-Botnet. The following image shows the main page:

Although the first versions of VOlk-Botnet were released in early 2010, this botnet is now experiencing a level of maturity in the area of crime in Latin America. With similar objectives to the crimeware program S.A.P.Z. from Peru, VOlk-Botnet is designed for local pharming attacks (modifying the hosts file) against banks in Latin America and tries to steal sensitive Internet banking data from unsuspecting users.

In this case, the malicious code,detected by Kaspersky Lab as Backdoor.Win32.VB.oyu, is aimed particularly at users of major banks with branches in Chile and Argentina:

The following picture shows some of the infected computers specifically in Chile:

While global strategies of this type share the same fraudulent goals, it is interesting to note that they do not share the same method of attack. On one hand, eastern European crimeware, such as ZeuS (and its derivatives), SpyEye or Carberp, have the ability to inject malicious functions into legitimate operating system processes and browser APIs, to intercept transactions on-the-fly. On the other hand crimeware developers in Latin America have confined themselves to local pharming.

Though less complex, when comparing both methods, local pharming has a very high success rate. This rate is especially high when fused with social engineering. So we recommend keeping your anti-virus security solution active and updated.

Latin American banks under fire from the Mexican VOlk-Botnet

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox