New Banking Trojan CHAVECLOAK Targets Users through Phishing Emails

A new banking trojan called CHAVECLOAK is actively targeting users in Brazil through phishing emails containing PDF attachments. The researcher revealed that this sophisticated attack involves the PDF file downloading a ZIP file, which then uses DLL side-loading techniques to execute the final malware.

The attack begins with the use of contract-themed DocuSign lures to trick users into opening PDF files. These PDFs contain a deceptive button that supposedly allows users to read and sign documents. However, clicking the button triggers the download of an installer file from a remote link, which is shortened using the URL shortening service.

Inside the installer is an executable named “Lightshot.exe,” which uses DLL side-loading to load “Lightshot.dll,” the CHAVECLOAK malware. This malware is designed to steal sensitive information by gathering system metadata and monitoring the foreground window to identify if the compromised machine is located in Brazil. If so, the malware establishes a connection with a command-and-control (C2) server to exfiltrate data related to financial institutions.

CHAVECLOAK enables various malicious actions, such as blocking the victim’s screen, logging keystrokes, and displaying deceptive pop-up windows. It actively monitors the victim’s access to specific financial portals, including banks and cryptocurrency platforms.

Additionally, the researcher discovered a Delphi variant of CHAVECLOAK, highlighting the prevalence of Delphi-based malware targeting Latin America. This banking trojan represents a significant threat to the financial sector, particularly in Brazil, emphasizing the evolving landscape of cyber threats.

The discovery of CHAVECLOAK comes amidst an ongoing mobile banking fraud campaign targeting the U.K., Spain, and Italy. This campaign uses smishing and vishing tactics to deploy an Android malware called Copybara, aiming to perform unauthorized banking transfers.

Threat actors managing these campaigns use a centralized web panel called “Mr. Robot” to orchestrate multiple phishing campaigns against various financial institutions. This panel allows them to enable and manage campaigns based on their needs, demonstrating a structured approach to phishing attacks.

Furthermore, the C2 framework used by attackers orchestrates tailored attacks on financial institutions using phishing kits that mimic the user interface of targeted entities. These kits adopt anti-detection methods such as geofencing and device fingerprinting to limit connections only from mobile devices.

The sophistication of on-device fraud (ODF) schemes is exemplified by a recent TeaBot campaign that infiltrated the Google Play Store disguised as PDF reader apps. This dropper application downloads a banking trojan from the TeaBot family, employing advanced evasion techniques and victim country checks before downloading the final malware.

Overall, these developments highlight the escalating threat landscape faced by financial institutions and users, underscoring the importance of robust cybersecurity measures and user vigilance to mitigate risks.

To prevent CHAVECLOAK infections, ensure your systems are up-to-date with the latest security patches. Use reputable antivirus software and firewall protection. Educate users about phishing tactics and encourage safe browsing habits. Regularly monitor and audit your systems for any signs of compromise.