A study conducted around June last year revealed a malware-based fraud ring that infiltrated one of Brazil’s most popular payment methods – the Boleto Bancário, or simply the boleto. While the research and analysis was already published by RSA, we’ve recently discovered that this highly profitable fraud is still out in the wild and remains an effective way for cybercriminals for online banking theft in Brazil.
The boleto malware campaign had a reported potential loss of US$3.75 billion. The recent detections we found comprise malicious Mozilla Firefox and Google Chrome extensions cleverly installed in victims’ machines. Spammed messages with fake threats of debt that must be paid to governments are used to get users to install these extensions.
What is a “boleto”?
The boleto (or “ticket” in English) is a type of payment slip that serves as a method of payment in Brazil regulated by the Brazilian Federation of Banks (FEBRABAN). Each boleto has a printed bar code and number associated with the person’s bank account, among other details. For instance, when users shop online, they may opt to use the boleto method of payment instead of credit cards and direct money transfers. If users decide to choose the boleto payment method, the shopping website generates a payment slip with a bar code that users can view, copy, or print in order to issue the payment. Here’s an example of a boleto.
Figure 1. Example of a boleto for R$934.23 (Brazilian Real). The bar code matches the number on the top. Both can be used to pay the boleto. Other items in the boleto include the person’s full name and phone number.
The use of the boleto payment method isn’t limited to online shopping websites. Government fees, car and house taxes, and almost any kind of payment can also be paid using it. It is a very common payment method in Brazil, a country where 18% of total bank transactions take place online.
How does the boleto infection take place?
To give an overview about how the infection takes place, here’s a diagram that shows how the attack plays out starting from the users receiving spammed messages to money ending up with the money mules.
The BROBAN malware family is frequently used in boleto fraud. These arrive via spammed emails, which typically contain fake messages alleging that the user has “debts” to the government that must be paid. Malicious links in the emails lead the user to install a browser extension (either for Mozilla Firefox or Google Chrome), as seen below:
Figure 2. Malicious browser extension in Mozilla Firefox
In the example below, criminals didn’t bother spending time to write a proper description for the add-on and limited it to “a basic add-on.” This was probably retained from a basic add-on creation tutorial.
Figure 3. Basic add-on creation tutorial for Mozilla Firefox
Below is an example of a malicious browser extension with bar code changing techniques that targets Google Chrome users.
Figure 4. Malicious browser extension in Google Chrome
Notice that this extension requires permissions to modify data in all websites, which is highly suspicious:
Figure 5. The malicious browser extension requires permissions such as reading and modifying all data on the visited websites.
We’ve seen this type of malware used in the Brazilian Gizmodo website compromise that spread online banking malware to around 7,000 victims within a two-hour span. Our video (starting at the 10:30 mark) explains how the malware checks the victim’s browser in order to install the malicious add-on.
Based on the Trend Micro™ Smart Protection Network™ feedback in the last 3 months, we found that Brazil is the top country affected by the BROBAN family at 86.95%, and the second affected country is the United States at 2.87%. Additionally, the heat map below shows data on this attack, with the most number of infections centered in São Paulo, Brazil. It’s possible that the large number of infections is because São Paulo is the most populous city in that country.
Figure 6. Boleto fraud infections
How was the attack carried out?
With various attack methods, using malicious extensions for this sort of attack opens up some opportunities for cybercriminals.
- They can change the payment slip the bar code, the related bar code number, or both.
- They can inject the new numbers acquired from C&C servers or have it hard-coded.
We’ll focus on a particular group that uses a combination of various attack methods.
The file a5f20ef51316ce87f72c1e503ebd01c7 is a malicious Firefox extension, detected as BREX_BROBAN.SMK, which may be spammed or dropped by other malware. The file extension used by Firefox add-on is .xpi, but the file is in fact a .ZIP file. After extraction, the most interesting code is inside the data/content.js file:
Figure 7. Banks prefixes used to match “boletos”
The first variable is a regular expression pattern used to match payment slip numbers so the malicious routines start. The second variable contains 138 Brazilian bank prefixes used by the extension to match a boleto number. When a bar code image is found, the malware downloads a new one from the command-and-control (C&C) server as can be seen in the code below:
Figure 8. Variable containing the C&C address
It also sends the bar code number and the value to the C&C server that responds with a new bar code number matching the same price. By using a C&C server, criminals can also keep control of their business.
Figure 9. Code responsible for C&C communication
As a side note, native speakers will recognize the word “rico”, which is Portuguese for “rich”, used in naming files on the C&C server.
Background operation on C&C servers
We had access to the source code of some files in the C&C servers of this particular malware family. The main file, rico.php has some interesting code:
Figure 10. Source code for C&C operation script rico.php
In the code, $arrX is an array containing the bank account numbers used to generate new bar codes. In fact, these are the bank account numbers where criminals receive the stolen money.
The file rico.php also has payment slip number generation routines stolen from an open source project. Based on bank account numbers, criminals can then generate brand new payment slip numbers with bar codes and return it to the malicious add-on script running on infected users’ machines.
Bar code generation
Figure 11. Algorithm used to generate the bar codes with matching boleto numbers
The image above shows part of the algorithm used by criminals to generate the bar codes with matching boleto numbers. URL links to blank and white bars are replied back to the malicious extension.
Figure 12. Creating a new bard with aligned images
The bar width is controlled by the algorithm. The result is a new bar code made with aligned images, and a new number to be injected into victims’ browsers.
Who’s behind the boleto fraud?
We were able to uncover that the boleto fraud is run by multiple authors, but probably maintained by only a few. We had access to the control panel’s web pages that criminals have developed to keep track of sold kits, specially created for other criminals. These are typically sold in the Brazilian underground for around R$400, or $138 USD.
Considering the techniques used in this attack, we’d say people behind it are not novices as they constantly improve their methods. This malware family has dozens of domains registered and hosted in bullet-proof hosting in Russia, Ukraine and other countries that are used as C&C servers.
Basing on gathered Whois data, the threat actor involved in this not-so-new attack uses the e-mail address mariomotono99[@]outlook.com, which has recently registered the following domains:
Some of them are confirmed to be used by the BROBAN C&C servers, which are used by the JS_BROBAN / BREX_BROBAN malware families. Other domains may be related to different malware campaigns. The following is a list of Google Cloud Storage user names hosting BROBAN:
The following Amazon Cloud user names were also used:
We have already notified Google and Amazon about the malicious accounts.
How Can You Stay Protected Against This Threat?
The FEBRABAN issued a guide on their website for users to determine whether the bar code on their boleto matches the bank prefix or not. The list on the FEBRABAN website has all the bank prefixes in Brazil.
This does not mean that users who aren’t based in Brazil are safe from this threat. Browser-related threats via malicious plugins continue to plague unwitting users, so it is advised to steer clear from unknown browser add-ons. If downloading browser add-ons is absolutely necessary, make sure to check its required permissions, or consider disabling add-ons you don’t recognize.
By keeping their security products and antivirus software up to date, users can stay protected against these threats. Trend Micro Security can detect and block the installation of malicious browser extensions. Trend Micro HouseCall can also remove malicious extensions.
For businesses, the Endpoint Security in Trend Micro Smart Protection Suite protects systems against this type of attack by detecting related files and blocking related URLs and emails through our File Reputation, Web Reputation, and Email Reputation Technologies.