Brazil, one of the most populated countries in the world, also has one of the highest percentages of internet users using online banking: more than half of the population uses it. As a consequence, banking trojans are the No. 1 cybersecurity threat in that Latin America powerhouse. And they’re being unleashed on the country in a homegrown malware phenomenon that’s specific to the region.
That’s according to ESET, which has identified control panel application (CPL) malware flowing at an increasing rate through its Latin American Research Lab, 90% of which came from Brazil. CPL files are a type of library file that, once clicked, will trigger the automatic execution of the code contained in the file. If that code is malicious code, the user is infected as a matter of course. It’s a very specific type of code approach that’s quite uncommon in the larger malware picture.
Of those malicious CPL files observed by ESET, 82% of them deliver some variant of Win32/TrojanDownloader.Banload family; which has as its main goal the download and installation of banking trojans.
To persuade their victims to execute the malicious CPL files and become infected, cyber-criminals send fake emails that make good use of social engineering techniques. The most used types of bait messages include documents with a price quote, invoice or receipt; a document with information on a debt or banking situation; specific digital payment instruments only used in Brazil, such as the Boleto Bancário or the Nota Fiscal Eletrônica; and files passed off as photographs, videos or other kinds of media files.
The Brazil-specific payment instruments may be the most ingenious, and again, point to the homegrown nature of the campaign. Matías Porolli, researcher at ESET, explained in a whitepaper that the Boleto Bancário is digitally issued and supported by a banking institution, which contains a bar code and allows anyone to pay a receiving party, usually by printing the document and paying at one of the places specially authorized for that purpose. Likewise, the Brazilian electronic invoice called Nota Fiscal Eletrônica is another digital document that makes it easier to purchase goods from a supplier, relying on the digital signature of the issuer and the receiver. It requires validation from a Brazilian public organization.
CPL malware is on the rise—and significantly so. At the beginning of 2012, only 5% of the files sent by users to the ESET LATAM Lab corresponded to CPL malware. However, in 2013 this figure increased to 20%, quadrupling its number as compared with the previous year. Throughout 2014 and early 2015, the percentage of samples the users received increased by 50%.
By the first quarter of 2015, three out of every 10 samples that users sent to the ESET LATAM Lab were CPL files, with Brazil disproportionately affected: 76% of ESET detections last year came from the country.
“This very clearly demonstrates that this malware family is specifically targeting users in that country—the second place, occupied by Spain, has almost 11 times fewer detections, and the gap extends further with other countries like Argentina, Colombia and even Portugal,” said Porolli.
Most of the samples use Delphi as the programming language, use the same CPL-specific encryption algorithm, and use the same propagation campaigns.
“All these similarities tell us that these attacks are being carried out by the same cyber-criminal group or by many groups that are in contact with each other and who share information,” Porolli said. “Many of the elements present in the current campaign were made in Brazil. Due to the strings in Portuguese present in the executables, as well as the consistent use of the Delphi language, it is reasonable to believe that quite a lot of local work went into developing the threats, rather than merely adapting those that already exist.”