Brazil Sao Paulo
Image: Lucas Marcomini via Unsplash

New banking trojan spotted circulating among Brazilian targets

Security researchers have identified new malware aimed at stealing banking credentials from Brazilians, as cybercriminals continue to target the country’s financial sector.

A trojan labeled CHAVECLOAK is spreading through a malicious PDF file, and victims might discover that their banking credentials are stolen after infection, report analysts at cybersecurity firm Fortinet.

Banking trojans show up regularly in Brazil, where federal police recently said they cracked down on the gang behind the Grandoreiro malware, which racked up nearly $4 million in illicit profits over several years.

CHAVECLOAK has similar goals, according to Fortinet, and it facilitates various actions to steal a victim's credentials, such as allowing the operator to block the victim's screen, log keystrokes, and display deceptive pop-up windows.”

It not only monitors the victim’s access to specific financial portals, the researchers say, but it also looks for connections to Mercado Bitcoin, a large cryptocurrency exchange that has traditional banking as well as cryptocurrency functions.

The malicious PDF appears to be “documents related to a contract, with instructions written in Portuguese,” Fortinet says. “It lures its victims to click a button so they can read and sign the attached documents,” but it’s really “a malicious downloader link.”

Other examples of Brazil-related cybercrime operations include the Horabot botnet; a campaign that targeted Portuguese banks; alleged Brazilian connections to the Lapsus$ hacking group; and the Mekotio banking trojan.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.