loader gif

​Fraudsters impersonate postal service agents in a new malware campaign to target Brazilian users

rio, brazil, janeiro, de, christ, corcovado, landmark, tourism, urban, aerial, view, summer, beach, copacabana, hill, downtown, coast, america, travel, rock, statue, attraction, south, botafogo, paradise, tourist, guanabara, city, mountain, sugar, scenic, bay, ipanema, sea, loaf, water, vacation, boats, landscape, international, ocean, cityscape
  • The campaign is used to distribute malware that steals banking data.
  • Researchers observed that the banking malware works only when the target’s language is set to Portuguese.

Scammers are conducting a new phishing campaign to target Brazilian users. They are impersonating the Brazilian postal service agents in order to distribute malware that steals banking data.

The malware abuses two legitimate Windows files - the command line utility file Windows Management Instrumentation (WMI) and the program that manages certificates for Windows, CertUtil.

“Although the WMIC and CertUtil have been used in malware campaigns before, this attack integrates both files into its routine and adds even more anti-evasion layers. This indicates that the cybercriminals behind this attack are evolving their tools and techniques for greater stealth and effectivity,” said Byron Gelera and Donald Castillo, researchers at Trend Micro in their analysis report.

Working model

The attack starts with a phishing email that appears to come from the national postal service of Brazil. It notifies the targeted recipients of an unsuccessful delivery. It also contains a bogus tracking code along with a link, which when clicked can result in the spread of malware.

The embedded link takes the victim to a zip file that needs to be downloaded. Once the zip file is downloaded, the victim will be presented with a .LNK file which is actually detected as Trojan.LNK.DLOADR.AUSUJM.

The researchers observed that the banking malware works only when the target’s language is set to Portuguese.

Defending yourself against such scams

Users must cross-check the identity and email address of the sender before clicking on the links. Any suspicious email address that contains random numbers is an indicator of a possible phishing attack. Check out for any grammatical or spelling errors in the body the email. This also helps you stay safe from phishing attacks.

loader gif