Boleto: The Perfect ‘Inside Job’ Banking Malware

The Brazilian cyberspace is known to be a whole ecosystem of its own and, although the banking malware that originates there has traditionally been somewhat basic, recent trends have indicated new and more refined tools for attack. Subsequently, what originally started in Brazil may well be about to spread to users of online banking worldwide.

In May 2017, researchers at Talos analyzed a banking Trojan that was delivered in Portuguese via a spam campaign, a common delivery method for such malware. Upon opening the email attachment, victims would be redirected to a JAR file which executes a malicious JAVA code to initiate the malware installation process.

Until now, the deeper inner workings of this malware have remained locked due to the highly complex nature of the ‘Themida’ packing file. Thanks to the Check Point Research team however, we have been able to unlock this packer and can now reveal how this new variation of malware interacts with its victims.

Our research below illustrates how a victim, once logged onto their online bank account, whether it be HSBC, Santander, Citibank or one of several Brazilian banks, is deceived into allowing the attacker free reign of their account. As a result of the attack, their account’s funds are then directly stolen without them even being aware.

In addition, through our research, we have been able to connect Talos’s work to that done by Trusteer who investigated a similar version of this malware back in January. Only now is it clear how these Brazilian banking malwares are connected and operate.

Banking malware enables the theft of millions of dollars each year from unsuspecting victims. By understanding more about how this particular attack operates and how it is perceived on the front end from the customer’s point of view, we hope to raise awareness and thwart similar attacks in the future.

For deeper analysis on how the attack occurs, please see the full research publication on our Research Blog.