Brazilian Banking Trojan Switches Distribution Method

A banking Trojan used primarily in Brazil has switched up its game. Previously being distributed primarily through pornography, the Trojan, which goes by several different names, has made the evolutionary step to being spread through phishing email campaigns.

The banking Trojan targeting victims based in the South American country has been called a few different things by different research groups. Some of those names include Ousaban and Javali. The general consensus is that the same Trojan has been in circulation since 2018.

However, it was previously distributed using pornographic images. This is why another group of researchers calls the malware Ousaban - a portmanteau term combining the Portuguese word for "boldness" and "banking".

The banking Trojan is curiously written in Delphi - not the most common programming language nowadays, but popular with malware developers in South America.

The change in distribution method for Ousaban is recent. The malware is now being spread using malicious phishing emails. The topics used to reel victims into opening the malicious attachments in the phishing mail are usually abusing fake delivery notifications.

The attachment is usually an MSI installer package. When executed, the MSI installer deploys a JavaScript downloader, which in turn grabs an archive file that contains a normal application.

The trick is that the malware also installs the malicious banking Trojan, using a technique called DLL side-loading. It involves planting the malicious payload, which is then invoked by a legitimate application.

In terms of functionality, Ousaban has all the trappings of regular banking Trojans. It can log keystrokes, capture screenshots, exfiltrate user information and simulate mouse and keyboard activity.

The Trojan uses screen overlays when the user hits a banking website and starts entering credentials, effectively stealing the login information. One difference that sets Ousaban apart from other banking Trojans used on South American victims is its ability to steal login credentials from email accounts as well.

To ensure persistence on the infected system, the Trojan either creates a .lnk shortcut or a VBS loader that are placed inside the system startup directory. Obfuscation is also present, with the malicious payloads sometimes reaching a fantastical 400 MB in size, just because of the heavy obfuscation.

By Zaib
May 5, 2021
Computer Security
English
May 5, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Trojan

The Metamorfo Banking Trojan Disables Auto-Complete to Record the Passwords You Type In

While other threats have come and gone throughout the years, banking trojans have remained a firm favorite with cybercriminals, and although some of the strains like Ursnif have established a reputation for efficient... Read more

February 7, 2020
Trojan

Beware of the Houdini Trojan, or You Might Lose Control over Your Online Banking

For as little as $50 per month, wannabe cybercriminals can go on a popular hacking forum and rent what has been advertised as WSH Remote Access Tool (RAT). As we'll find out in a moment, at least some of them seem to... Read more

June 18, 2019
Trojan

Zeus Sphinx Banking Trojan Has Come Back From the Dead Just in Time for the Pandemic

Zeus Sphinx is officially back. Also known as Terdot, the banking trojan gained infamy a few years ago when its operators used clever distribution methods to spread the malware around and steal people's passwords.... Read more

March 31, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.