CHAVECLOAK, a new banking trojan targeting users in Brazil, is being distributed through phishing emails with PDF attachments, according to Fortinet FortiGuard Labs researcher Cara Lin revealed.
The attack involves convincing users to open PDF files by using DocuSign-themed DocuSign lures, which contain a button to read and sign the documents. However, when the button is clicked, it triggers the download of an installer file from a shortened URL.
The installer file contains the CHAVECLOAK malware, which is executed using DLL side-loading. This malware is designed to steal sensitive information such as system metadata and banking-related data from users in Brazil.
Once installed, CHAVECLOAK establishes a connection with a command-and-control server to harvest information and send it to specific endpoints based on the targeted financial institution.
Furthermore, the malware can perform actions like capturing keystrokes, displaying deceptive pop-up windows, and monitoring access to financial portals.
Fortinet also discovered a Delphi variant of CHAVECLOAK, highlighting the prevalence of Delphi-based malware targeting Latin America.
This evolving landscape of cyberthreats includes a mobile banking fraud campaign in the U.K., Spain, and Italy that utilizes smishing and vishing tactics to deploy an Android malware called Copybara for unauthorized banking transfers.
Attackers behind the campaign have been using a centralized web panel named ‘Mr. Robot’ to manage multiple phishing campaigns and customize attacks on different financial institutions.
The sophistication of these fraudulent activities is further demonstrated by the deployment of Copybara using a C2 panel named JOKER RAT, which facilitates real-time interaction with infected devices and interception of sensitive information.
Overall, the emergence of CHAVECLOAK and other advanced cyberthreats targeting the financial sector underscores the need for increased vigilance and cybersecurity measures to protect users’ data and assets.
