Home > Technology > The Detailed Explanation of the Brazilian Trojan Family

The Detailed Explanation of the Brazilian Trojan Family


Earlier this year, the hot news of the Chinese espionage group was gushing over the internet, But this time, Brazil has outstripped China.

Stealing users’ banking detail is something that can be labeled as the hot favorite attempt for hackers around the world, and Brazil is no exception.

In my today’s blog, I will discuss Brazil’s banking Trojan in detail. Also, you’ll come to know the best possible solutions to implement and prevent your valuable information. 

First, I will take you back in 2018, when a Brazilian Trojan named BasBanke was launched. This Trojan has another name and commonly known as the Coybot Trojan. 


How did Coybot Banking Trojan work? 

Coybot is a banking Trojan that specifically targeted android users to steal their banking details. The Trojan started working in October 2018.

The main aim of this trojan was to capture users’ login credentials. Coybot has been a quite dangerous Trojan. The worse part of the story is that after several months of attacking and stealing users’ information, the new samples of the same malware launched. 

All the malware samples were working similarly, and the only difference was that the name of the application and its package identifier was altered completely. 

If we take a look at its working, then we cannot contemplate anything assuredly. However, by focusing on the old Trojan patterns it is predictable that the malware took place through scam Whatsapp messages and Facebook posts.  

The fake alerts were sent to the users which were similar to the Android or Google Play update. The Trojan asked users to insert login information which appeared as a part of the service running in the background. As soon as the user enters login credentials, the Trojan steals it.

Part B – Latest Brazilian Trojan

I have discussed the old Coybot Brazilian banking Trojan in the first section. Now, let’s get insight on the latest Brazilian banking Trojan family. 

These Trojans are becoming a dodgy threat for users globally. Therefore, strong firewalls and virtual private networks are considered as an online banking stipulation. 

Coming back to the Brazilian Trojan, there are four Brazilian banking Trojan groups. Together, the families of Brazilian banking trojans are known as “Tetrade”, attacking banks in Brazil, Europe, and Latin America. 

Now, I will describe the function and names of all the four malware. Below, I am outlining the names of the latest Brazilian banking Trojan groups: 

  • Guildma
  • Javali
  • Melcoz 
  • Grandoreiro. 

These Trojans are attacking Brazilian banks. A few of those Brazilian banks are also operating in multiple countries therefore, it’s no wrong to say that it’s a worldwide risk. 

The Process of Sending Initial Payloads 

Javeli and Guildma groups follow the same approach to deliver and distribute the initial payloads. According to the Kaspersky research, Guildma and Javeli deliver initial payloads through phishing scams. 

It is also mentionable that the Guildma Trojan has been hidden since 2015, and now it has expanded its features, secrecy, and targeted regions including Brazil and Latin America. 

The Guildma Trojan used Facebook and Youtube pages to store its communication in an encrypted format and hence it made it difficult to detect the malware. 

Details of the Javali Malware Group 

Javali malware has been working quite a long way since 2017 and now it is targeting regions like Mexico. Just like the Guildma, Javali also relies on the phishing emails to spread and distribute the payloads. Javali cleverly uses Youtube to manage and host its command and control communications. 

According to the Kaspersky research, each phishing email contains a Microsoft installer file along with the rooted visual basic script. It aids to install the final malicious payload remotely from the command-and-control communications. 

Besides that, the malware also used several obfuscation methods to hide the malicious program from cybersecurity experts. 

Details of the Melcoz Group 

Melcoz has been engaged in its nefarious activities since 2018. This Trojan group is one of the most intimidating banking trojans, it steals passwords through users’ computer memory and browser. 

It also has a different model that is dedicated to stealing Bitcoin wallets by manipulating the original wallet information with the cybercriminal’s fake wallet.  This Trojan is rapidly spreading in various regions among which Latin America is topping the chart. 

In addition to the Melcoz, the Kaspersky report also concluded that this malware uses tools like AutoIt and VBS in the Microsoft installer file along with the DLL-Hijack trick to circumvent security blocks. 

Details of the Grandoreiro Trojan 

Grandoreiro Trojan is not a new Trojan and it has been activated since 2016. Here I am revealing a shocking fact. Among the other three Trojan groups, the Grandoreiro Trojan is the most intimidating and prevalent banking Trojan. 

One unique thing about this Trojan is that it represents itself as a service-model. It uses multiple techniques to distribute payload and survive secretly. 

The Grandoreiro Trojan uses spearphishing techniques and vulnerable websites to deliver the payload. Moreover, it is similar to Javali and Guildma because it also conceals command-and-control communications using authentic third-party websites. 

Conclusion-On the security Front 

Cyberattacks and banking Trojans are rapidly increasing. Various countries are hiring cybercriminals to invent nefarious trojans for personal benefits. In this way, the financial institutions worldwide should be vigilant and must deploy biometric verification along with VPN and two-factor authentication. Strong passwords with two-factor authentication, biometric verification, and firewall protection will be a useful yet practical solution to combat such robust banking trojans.

TAGS , , ,