New banking trojan spotted circulating among Brazilian targets

Security researchers have identified new malware aimed at stealing banking credentials from Brazilians, as cybercriminals continue to target the country’s financial sector.

A trojan labeled CHAVECLOAK is spreading through a malicious PDF file, and victims might discover that their banking credentials are stolen after infection, report analysts at cybersecurity firm Fortinet.

Banking trojans show up regularly in Brazil, where federal police recently said they cracked down on the gang behind the Grandoreiro malware, which racked up nearly $4 million in illicit profits over several years.

CHAVECLOAK has similar goals, according to Fortinet, and it facilitates various actions to steal a victim's credentials, such as allowing the operator to block the victim's screen, log keystrokes, and display deceptive pop-up windows.”

It not only monitors the victim’s access to specific financial portals, the researchers say, but it also looks for connections to Mercado Bitcoin, a large cryptocurrency exchange that has traditional banking as well as cryptocurrency functions.

The malicious PDF appears to be “documents related to a contract, with instructions written in Portuguese,” Fortinet says. “It lures its victims to click a button so they can read and sign the attached documents,” but it’s really “a malicious downloader link.”

Other examples of Brazil-related cybercrime operations include the Horabot botnet; a campaign that targeted Portuguese banks; alleged Brazilian connections to the Lapsus$ hacking group; and the Mekotio banking trojan.