Malicious Advertising Campaign Targets Payment System with GoPIX Malware

The widespread adoption of Brazil’s PIX instant payment system has attracted the attention of cybercriminals seeking to exploit it for financial gain through a newly discovered malware known as GoPIX.

It appears that the attackers employ a tactic known as “malvertising,” where their malicious links are strategically placed in the advertising section of search engine results, ensuring that potential victims encounter them first. When a user clicks on one of these links, they are redirected to a landing page where the malware is hosted.

In a bid to avoid detection and filter out sandboxes and bots, users who click on these malicious ads are further redirected through a cloaking service.

This service employs a fraud prevention solution called IPQualityScore to determine whether the visitor is a genuine human user or a bot. If the user passes this check, they are presented with a fake WhatsApp download page, enticing them to download a malicious installer.

Interestingly, the choice of download URL depends on whether port 27275 is open on the user’s system. If the port is open, a ZIP file containing an LNK file with an obfuscated PowerShell script is downloaded.

If the port is closed, the malware is directly downloaded via an NSIS installer package. This approach is deliberately designed to bypass security software and deliver the malware to the target system.

The primary purpose of the installer is to retrieve and execute the GoPIX malware. This malware operates as a clipboard stealer, intercepting PIX payment requests and replacing them with a PIX string controlled by the attacker, obtained from a command-and-control (C2) server.

GoPIX can also manipulate Bitcoin and Ethereum wallet addresses, although these are hardcoded within the malware and not fetched from the C2. The malware can receive commands from the C2, primarily related to removing the malware from the infected machine.

This isn’t the only campaign targeting users searching for messaging apps like WhatsApp and Telegram on search engines. In a separate set of attacks in the Hong Kong region, fraudulent ads on Google search results lead users to fake pages encouraging them to scan a QR code to link their devices. However, the QR codes are from malicious sites, allowing attackers to gain access to victims’ WhatsApp accounts.

Beside of that, the emergence of a new version of the Brazilian banking trojan Grandoreiro, which is targeting victims in Mexico and Spain, marking an unusual increase in activity. These activities have been attributed to a threat actor known as TA2725, which is known for using Brazilian banking malware and phishing techniques.

Furthermore, the article touches upon the growing trend of Latin American-focused malware campaigns expanding their reach to Europe, as seen with attacks on Spanish entities. Additionally, it mentions the proliferation of information stealers in the cybercrime economy, with malware-as-a-service (MaaS) offerings making it easier for less technically skilled criminals to conduct cyberattacks.