ANNOUNCEMENT
Back to Newsroom

Cybereason’s Nocturnus Team Discovers the Source Behind Financial Malware Targeting Banks in South America and Europe

Nov 29, 2018

Cybereason, creators of the leading cybersecurity end-to-end AI Hunting solution, today announced that its Nocturnus team discovered the source of a pervasive variant of malware used to attack Brazilian banks that spread to more than a dozen countries in South America and Europe. More than 60 banks have thus far been infected impacting millions of customers.

The new research also details the techniques used by Brazilian threat actors throughout 2017-2018 and highlights how effective their methods are at evading security products, as demonstrated by the low detection rate. The findings build off initial research from September 2018 when Nocturnus first blogged about the growing Brazilian threat landscape and the pervasiveness of financial malware.

"Brazil is a major contributor to the global cybercrime ecosystem yet oftentimes flies under the radar because other nation states garner the majority of news headlines. And in many respects that has contributed to the growth of the cybercrime ecosystem in Brazil,” said Assaf Dahan, senior director, threat hunting, Cybereason. “What is most surprising about our discovery and tracking of Brazilian threat actors is the pervasiveness of this particular variant and the sheer volume of Spanish speaking countries being targeted rises to unseen levels.”

Cybereason’s research identified three key stages that were common to most of the attacks. In each stage, Cybereason observed commonalities in the tools, techniques and procedures that are shared across campaigns including:

  • Social engineering as an entry point (phishing emails)
  • Multiple redirections via URL shorteners and the usage of Dynamic DNS services
  • Payloads hosted on legitimate online storage services and CDNs (content delivery networks)
  • Obfuscated PowerShell downloaders employing command-line logging evasion
  • Living off the land techniques that abuse Microsoft-signed binaries
  • Abusing trusted applications via DLL hijacking
  • Splitting the main payload into two or more components

 

To review Cybereason’s full analysis and findings, visit: https://www.cybereason.com/blog/brazilian-financial-malware-banking-europe-south-america

About Nocturnus
Nocturnus is a group of Cybereason's cybersecurity experts with broad experience in cyber offense and defense with a focus on cutting edge, advanced research. The team has spent years studying the adversary and defending against some of the most advanced cyber attacks. The team’s findings of new attack tools, techniques, and methodologies are used to better protect our customers and educate the broader information security community.

About Cybereason
Cybereason, creators of the leading cybersecurity data analytics platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services, all powered by its proprietary data analytics platform. The Cybereason suite of products provides unmatched visibility, increases analyst efficiency and effectiveness, and reduces security risk. Cybereason is privately held, having raised $189 million from top-tier VCs, and is headquartered in Boston, with offices in London, Tel Aviv and Tokyo.

Learn more: https://www.cybereason.com/
Follow us: Blog | Twitter | Facebook

Media Contact
Bill Keeler
Director, Public Relations
Cybereason
bill.keeler(at)cybereason.com
(929) 259-3261