Traditionally, Brazil is known for being the home of BANCOS, which steals the banking information of users and is generally limited to the Latin American region. Other banking Trojans like ZeuS, SpyEye, and CARBERP, which are common in other regions, are not traditionally used by Brazilian cybercriminals and not aimed at Brazilian users either.
However, that might be changing. In a local hacker forum, we saw a post where somebody was selling some rather well-known malware kits:
- Zeus version 3
- SpyEye version 1.3.48
- Citadel version 1.3.45
- Carberp (“last version with all resources”)
- CrimePack Exploit kit version 3.1.3 (leaked version)
- Sweet Orange exploit kit version 1.0
- Neutrino exploit kit
- Redkit exploit kit
In addition, if an interested buyer purchases any of the kits listed above, he will also get the kit for SpyEye version 1.3.45 for free.
Figure 1. Screenshot of the online ad
It’s worth noting too that the prices posted are extraordinarily attractive. For Zeus and CrimePack, a potential buyer needs only to shell out 350 Brazilian reais (175 US dollars) each. SpyEye and Carberp cost around 150 reais (75 US dollars), while a Citadel kit costs 100 reais (50 US dollars).
In a later update, the guy also advertised that he had some phishing scam kits too. The targets include well-known entities like PayPal, Bank of America, HSBC and SCI Liberty Reverse (a Costa Rica-based payment processor) and only costs 50 reais (25 US dollars) per kit.
Figure 2. Updated advertising phishing kits
In the near future, we can expect amix of the two threats. Should this occur, the first wave of attacks may be malicious webinjects targeting Brazilian banks. The second wave we can divide into two: BANCOS variants may start to use part of the code from kits to steal data; alternately the imported botnets may start using the modules needed to bypass the security of Brazilian banks.
In the end, both we will have botnets and BANCOS malware become more furtive and powerful in stealing data and money from users. A side effect is we expect to find more botnets active in Brazil, which may even end up forking to create versions that are specifically targeted at Brazilian users.
To know more about banking Trojans and other development regarding crimeware, my colleague Loucif Kharouni previously published his paper The Crimeware Evolution, which provides insights about what we can expect from toolkits like Zeus.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.