Banking Trojan Made in Brazil? A Brief Look
For decades, malware, especially those that can be considered as ‘weaponized’ have been proven developed by state-actors. State-actors are country-hired hackers, with the purpose of developing weaponized software in order to attack another state that falls on their category of being hostile. State-actor hackers have been provided with lots of funds coming from their state sponsors, they are better funded than any typical virus developer.
The United States, Russia, China and the rogue state of North Korea are often credited for developing a specific malware to target a particular state. Any IT professional can remember how Stuxnet, a malware propagating through the use of USB devices and weak networks was able to penetrate Iranian nuclear facilities. This caused a lot of abnormal wear and tear to Iran’s machine responsible for enriching Uranium, and that Stuxnet was allegedly developed by the US deep state in order to keep Iran’s nuclear program at bay.
As technology progress and more people are exposed to development platforms, it is the emerging market’s turn to become source malware. That is exactly what happened with the growth of infection rates of the banking trojan family known as Banload/Banbra/Bancos, all Brazil-made.
The Banload family was first seen emerging from Brazil since 2015 and it continued to receive regular improvements. It was even available for download and forking in Github, one of the first kind of malware available as opensource in 2015. The author claims the software as a legitimate remote access program, and if used by others as a RAT (Remote Access Trojan), it is no longer his fault.
Microsoft has updated the Windows 10 Defender to automatically remove any instances Banload from both memory and the storage device, enabling any updated version of Windows to be immune from its payload. “TrojanDownloader: Win32/Banload.AUN is a member of Win32/Banload – a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers. Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker,” explained Microsoft.
Upon close inspection, Defender’s engineers found-out the following functionality of Banload:
- Capability to contact the trojan’s author.
- The author can send instructions and configure trojan’s settings online.
- Capability to download and launch .exe files. Making it an effective launch pad for other families of malware.
- With the instruction of the trojan’s author, can remotely upload any file stored in the PC to a remote server.
Brazil and other Latin American nations are attractive targets for banking trojans, ransomware and other malware due to the nature of computer installations common with those countries. Not everyone uses up to date computers in Latin America, hence typical computer installations there are more susceptible to vulnerability attacks compared to North America and Europe. The main issue possibly the less eagerness to apply updates as soon as they are released by the vendor. Microsoft for its part issues monthly updates to Windows every second Tuesday of the month.