Malware campaign targeting banks in Spain and Latin America

We have been tracking the footprint of an actor conducting a campaign targeting Latin American and Spanish users in recent months.

The immediate objective of the campaign is the installation of a banking trojan on the users’ systems, with the goal of stealing sensitive financial information that can be used to perform fraud. Within the configuration parameters of this trojan there are more than eighty banks and a number of cryptocurrency-related sites present.

Technical Report

Today we have published a technical report detailing the distribution, email, downloader, banker and other details surrounding this campaign. It includes an extensive list of IOCs and can be viewed at this link.

Our dedicated threat intelligence module delivers real-time alerts for this type of malicious campaign targeting your organization. Through robust and continuous analysis of millions of malware samples per month, we provide forensic reporting on malware behavior targeting your systems.

Malware Campaign Overview

The stage 1 malware is distributed through a massive email campaign, delivering what appears to be electronic invoices in PDF with a download link. The link downloads a ZIP file impersonating a PDF, but in fact leads to its payload hosted in Dropbox.

Once the payload is executed, the features and operation of this malware allow the attacker to bypass online banking security mechanisms such as 2FA by SMS or the use of a physical token.

The malware family has its origins in KLREMOTE TOOLKIT, a tool offered in the Brazilian underground since 2014.

This toolkit allows malicious actors to take control of the infected system while the user is operating on their online banking account, and through fake windows and overlays convince the user to disclose the information necessary to carry out a money transfer: passwords, 2FA tokens, and other sensitive information.

Members of this family are equipped with all the necessary tools to carry out this attack: Functionality to work as a RAT and a keylogger, the capability to download and execute files, as well as a collection of images corresponding to various banking entities.

Members of this malware family incorporate different anti-analysis and anti-VM mechanisms, their purpose is to stop malware activity when running under certain environmental conditions: Virtual machines or systems that have certain analysis tools. A function in the malware code is responsible for performing all these checks.

Impact on the user

In this malware campaign, the malware can detect when the user is operating with their online banking account. A rudimentary system that allows malware to activate certain functionalities at the moment that the user makes use of electronic banking.

A series of fake windows and overlays, combined with a bit of social engineering, allows the actors to carry out the theft. The malware contains a plethora of images for this purpose, and each affected bank has its own images corresponding to each step of the deception.


There are some elements related to the threat actor behind this campaign which are quite characteristic:

  • The distribution is performed via spam, pretending to be an electronic invoice.
  • Both malware families used by the actor (W32/Banload and W32/Banker) are written in Delphi
  • The “invoice theme” is still used in filenames and file icons
  • The final malware is stored in Dropbox, it is zipped and its decompressed size is quite large
  • The attack requires a high level of manual intervention by the actor: the attacker must access the user’s bank account while they are using it
  • Mainly targeting Spanish-speaking users and banks, but also some Brazilian entities

Some of these elements point to an attacker which is not extremely advanced and more located in LatAm. The modus operandi and tools typically match with Brazilian actors, but also actors located in other South American countries have been seen with a similar behavior.


With a moderate degree of confidence we expect this campaign to continue into 2020 and advise a high level of vigilance for both end users and banks, especially in Spanish and Portuguese-speaking markets. Blueliv continues to monitor the evolution of this malware and is engaged in actor identification techniques.

This seminal phishing technique remains one of the most effective attack vectors used by cybercriminals. Though an attacker profile performing phishing attacks is usually less sophisticated than counterparts performing major fraud, it is still a persistent threat which all organizations and users should be aware of.

Our aggressive solution proactively hunts down this kind of targeted malware and ‘Man in the Browser’ attacks, aimed specifically at your organization. Through robust and continuous analysis of millions of malware samples per month, we provide forensic reporting on malware behavior targeting your systems.

We are grateful to the Caixabank eCrime team for sharing intelligence and collaborating with Blueliv on this investigation.

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP