A new variant of malware called Amavaldo was recently detected, targeting bank users especially in Mexico and Brazil. A comprehensive analysis by ethical hacking experts from security firm ESET identified more than 10 new malware families, detecting attacks in other Latin American countries.
According to specialists, these Trojans have
fully identifiable features; for example, they are written in Delphi, include
backdoor functions and use abuse of legitimate files and programs to complete
the infection process, plus they use some algorithms never seen or seen
infrequently.
To get started, hackers use a Windows
executable that presents the victim as a legitimate company software installer;
actually, this tool is used to download Amavaldo malware.
According to ethical hacking experts, campaign operators also resort to the use
of social engineering tactics for the victim to hand over credit card data.
Subsequently, the Trojan monitors the active
windows on the victim’s computer for activity related to banking institutions.
If your search succeeds, the malware deploys a fake pop-up that copies the
contents of the legitimate banking site, which can lead to theft of sensitive
data.
In their research, ESET experts mention that
Amavaldo is a modular malware made up of three distinct components:
- A
copy of a legitimate app - An
injector - An
encrypted banking Trojan
When the victim interacts with the malicious
program, all the contents of the ZIP file are saved on the compromised system’s
hard drive. Then:
- The
injector is executed via DLL Side-Loading - The
injector injects itself into wmplayer.exe or iexplore.exe - The
injector searches for the encrypted banking Trojan (a file without extension
whose name matches that of the DLL injector) - If
such a file is found, the injector decrypts and executes the banking Trojan
In addition to being identified as a modular
malware, another important feature of Amavaldo is the use of a custom
encryption scheme. Developers populated the malware code with junk strings that
do not have a function. Ethical hacking specialists created a simplified fake
code to find the algorithm logic. This routine is used by malware and the
download program, which represents unusual behavior.
Once the infection process is complete,
Amavaldo proceeds to collect some details about the compromised system,
including:
- Computer
identification data and operating system version - Verification
for bank protection software - Location
of certain files
In addition, the backdoor features in Amavaldo
allow hackers to perform some malicious tasks like:
- Taking
screenshots - Intercepting
photos taken with the webcam - Download
and run other programs - Malware
update
Ethical hacking experts claim that, until a
couple of months ago, the malware had only been detected in Brazil, until
reports of its appearance in Mexico began in May this year.
According to specialists from the International Institute of Cyber Security (IICS) Amavaldo is just one of many newly developed malware families with the ability to extract sensitive information, especially bank details. Users need to remain alert to any phishing attempts, which is regularly the first approach that hackers set to obtain the resources needed to compromise a target system.