This malware is stealing money from banks in Mexico and Brazil

A new variant of malware called Amavaldo was recently detected, targeting bank users especially in Mexico and Brazil. A comprehensive analysis by ethical hacking experts from security firm ESET identified more than 10 new malware families, detecting attacks in other Latin American countries.

According to specialists, these Trojans have fully identifiable features; for example, they are written in Delphi, include backdoor functions and use abuse of legitimate files and programs to complete the infection process, plus they use some algorithms never seen or seen infrequently.

To get started, hackers use a Windows executable that presents the victim as a legitimate company software installer; actually, this tool is used to download Amavaldo malware. According to ethical hacking experts, campaign operators also resort to the use of social engineering tactics for the victim to hand over credit card data.

Subsequently, the Trojan monitors the active windows on the victim’s computer for activity related to banking institutions. If your search succeeds, the malware deploys a fake pop-up that copies the contents of the legitimate banking site, which can lead to theft of sensitive data.

In their research, ESET experts mention that Amavaldo is a modular malware made up of three distinct components:

Source: ESET
  • A copy of a legitimate app
  • An injector
  • An encrypted banking Trojan

When the victim interacts with the malicious program, all the contents of the ZIP file are saved on the compromised system’s hard drive. Then:

  • The injector is executed via DLL Side-Loading
  • The injector injects itself into wmplayer.exe or iexplore.exe
  • The injector searches for the encrypted banking Trojan (a file without extension whose name matches that of the DLL injector)
  • If such a file is found, the injector decrypts and executes the banking Trojan

In addition to being identified as a modular malware, another important feature of Amavaldo is the use of a custom encryption scheme. Developers populated the malware code with junk strings that do not have a function. Ethical hacking specialists created a simplified fake code to find the algorithm logic. This routine is used by malware and the download program, which represents unusual behavior.

Source: ESET

Once the infection process is complete, Amavaldo proceeds to collect some details about the compromised system, including:

  • Computer identification data and operating system version
  • Verification for bank protection software
  • Location of certain files

In addition, the backdoor features in Amavaldo allow hackers to perform some malicious tasks like:

  • Taking screenshots
  • Intercepting photos taken with the webcam
  • Download and run other programs
  • Malware update

Ethical hacking experts claim that, until a couple of months ago, the malware had only been detected in Brazil, until reports of its appearance in Mexico began in May this year.

According to specialists from the International Institute of Cyber Security (IICS) Amavaldo is just one of many newly developed malware families with the ability to extract sensitive information, especially bank details. Users need to remain alert to any phishing attempts, which is regularly the first approach that hackers set to obtain the resources needed to compromise a target system.