Malvertising Campaign Targets Brazil’s PIX Payment System with GoPIX Malware

The popularity of Brazil’s PIX instant payment system has made it a lucrative target for threat actors looking to generate illicit profits using a new malware called GoPIX.

Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off using malicious ads that are served when potential victims search for “WhatsApp web” on search engines.

“The cybercriminals employ malvertising: their links are placed in the ad section of the search results, so the user sees them first,” the Russian cybersecurity vendor said. “If they click such a link, a redirection follows, with the user ending up on the malware landing page.”

As other malvertising campaigns observed recently, users who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots, and others not deemed to be genuine victims.

This is accomplished by using a legitimate fraud prevention solution known as IPQualityScore to determine if the site visitor is a human or a bot. Users who pass the check are displayed a fake WhatsApp download page to trick them into downloading a malicious installer.

In an interesting twist, the malware can be downloaded from two different URLs depending on whether port 27275 is open on the user’s machine.

“This port is used by the Avast safe banking software,” Kaspersky explained. “If this software is detected, a ZIP file is downloaded that contains an LNK file embedding an obfuscated PowerShell script that downloads the next stage.”

Should the port be closed, the NSIS installer package is directly downloaded. This indicates that the additional guardrail is set up explicitly to bypass the security software and deliver the malware.

The main purpose of the installer is to retrieve and launch the GoPIX malware using a technique called process hollowing by starting the svchost.exe Windows system process in a suspended state and injecting the payload into it.

GoPIX functions as a clipboard stealer malware that hijacks PIX payment requests and replaces them with an attacker-controlled PIX string, which is retrieved from a command-and-control (C2) server.

“The malware also supports substituting Bitcoin and Ethereum wallet addresses,” Kaspersky said. “However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.”

This is not the only campaign to target users searching for messaging apps like WhatsApp and Telegram on search engines.

In a new set of attacks concentrated in the Hong Kong region, bogus ads on Google search results have been found to redirect users to fraudulent lookalike pages that urge users to scan a QR code to link their devices.

“The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp,” Jérôme Segura, director of threat intelligence at Malwarebytes, said in a Tuesday report.

As a result, the threat actor’s device gets linked to the victim’s WhatsApp accounts, granting the malicious party complete access to their chat histories and saved contacts.

Malwarebytes said it also discovered a similar campaign that uses Telegram as a lure to entice users into downloading a counterfeit installer from a Google Docs page that contains injector malware.

The development comes as Proofpoint revealed that a new version of the Brazilian banking trojan dubbed Grandoreiro is targeting victims in Mexico and Spain, describing the activity as “unusual in frequency and volume.”

The enterprise security firm has attributed the campaign to a threat actor it tracks as TA2725, which is known for using Brazilian banking malware and phishing to single out various entities in Brazil and Mexico.

The targeting of Spain points to an emerging trend wherein Latin American-focused malware are increasingly setting their sights on Europe. Earlier this May, SentinelOne uncovered a long-running campaign undertaken by a Brazilian threat actor to target over 30 Portuguese banks with stealer malware.

Meanwhile, information stealers are flourishing in the cybercrime economy, with crimeware authors flooding the underground market with malware-as-a-service (MaaS) offerings that provide cybercriminals with a convenient and cost-effective means to conduct attacks.

What’s more, such tools lower the entry barrier for aspiring threat actors who may lack technical expertise themselves.

The latest to join the stealer ecosystem is Lumar, which was first advertised by a user named Collector on cybercrime forums in July 2023, marketing its capabilities to capture Telegram sessions, harvest browser cookies and passwords, retrieve files, and extract data from crypto wallets.

“Despite having all these functionalities, the malware is relatively small in terms of size (only 50 KB), which is partly due to the fact that it is written in C,” Kaspersky noted.

“The emerging malware is often advertised on the dark web among less skilled criminals, and distributed as MaaS, allowing its authors to grow rich quickly and endangering legitimate organizations again and again.”