GoPIX Malware Targeting Brazil’s PIX Payment System in Malvertising Campaign

    Kaspersky has identified the GoPIX malware as a significant threat to Brazil’s popular PIX instant payment system. This campaign began in December 2022.

    Malicious Advertisements and Their Tactics
    When users search for “WhatsApp web” on search engines, they encounter malicious ads. These ads appear in the search results’ ad section. Upon clicking these links, users land on a malware-infested page.

    Bypassing Security Measures
    To avoid detection from sandboxes and bots, attackers employ a genuine fraud prevention tool called IPQualityScore. This tool determines whether a site visitor is human or a bot. Genuine victims then see a deceptive WhatsApp download page, prompting them to download a harmful installer.

    In-depth Look at the Malware’s Functionality
    Depending on the openness of port 27275 on a user’s machine, the GoPIX malware’s download source varies. An open port, which signifies the Avast safe banking software’s presence, triggers the download of a ZIP file. This file contains an LNK with a hidden PowerShell script. Otherwise, the malware gets downloaded directly through an NSIS installer package to sidestep security software.

    The installer’s main role is to fetch and activate the GoPIX malware using a method known as process hollowing. This method starts the svchost.exe Windows system process in a paused state before injecting the malware.

    GoPIX’s Main Objective
    GoPIX operates as a clipboard stealer malware. Its primary goal is to intercept PIX payment requests. It swaps genuine PIX strings with those controlled by attackers from a command-and-control (C2) server. Interestingly, GoPIX can also swap Bitcoin and Ethereum wallet addresses. However, these addresses are embedded in the malware and do not come from the C2. GoPIX can also act on C2 commands to uninstall itself from a compromised machine.

    Other Noteworthy Campaigns
    Another concerning campaign targets users searching for apps like WhatsApp and Telegram. Deceptive ads on Google search results guide users to counterfeit pages. These pages urge users to scan a QR code to connect their devices. However, this QR code links to a malicious site. Scanning the code unknowingly syncs the victim’s device with the attacker’s, granting them access to chat records and contacts.

    Emergence of New Threats
    Proofpoint has unveiled a new version of the Brazilian banking trojan named Grandoreiro. This malware, linked to the threat actor TA2725, now targets victims in Mexico and Spain. This shift shows a trend of Latin American malware broadening its horizons to Europe.

    Rise of Information Stealers
    Crimeware authors are now offering malware-as-a-service (MaaS) tools, making it easier for cybercriminals to launch attacks. One such tool, Lumar, is gaining popularity on the dark web. Lumar can capture Telegram sessions, snatch browser cookies and passwords, retrieve files, and pull data from crypto wallets. The distribution of this malware as MaaS allows its creators to earn quickly while posing a significant threat to legitimate businesses.

    Latest articles

    Related articles