A Rapid Rise in Threats Targeting Financial Services

Making headlines

• Brazilian hackers have released a trojan dubbed maxtrilha via customized phishing templates to infiltrate banking systems across the world. 
• As of now, its instances have been traced in Latin America, extended Europe, and Portugal.
• Encrypted victims’ data is being sent to the C2 server geolocated in Russia.

About the trojan infection

• maxtrilha, an x64 binary, is developed in Delphi language and can bypass AV and EDR systems.
• In its first stage, it opens a legitimate web page presented on the phishing template and establishes persistence on the infected machine.
• Further, it disables IE security settings and accepted extensions to make way for the 2nd stage payload, which also checks for persistence on the machine.
• In the 2nd stage, maxtrilha installs (or modifies) Windows trusted certificates and performs banking windows overlay to rip off credentials, all while it drops additional payloads executed via DLL injection technique.

Recent campaigns

• A few days back, banking and shopping apps and cryptocurrency wallets of users in the U.S. and Spain were under attack from the S.O.V.A. Android trojan. The trojan, currently in the development and testing phase, aims to add overlay techniques and keylogging mechanisms.
• Last week, a massive DDoS attack hobbled Australia and New Zealand Banking Group’s New Zealand site, Kiwibank, MetService, and NZ Post due to an issue at one of its third-party providers.
• Meanwhile, McAfee discovered an Android/Banker.BT malware threat that masquerades as a security banking tool or as a bank application designed to report an out-of-service ATM.

Final thoughts