{
	"id": "ece801c5-49a0-4bb7-bd67-a4fe7d3fcc5c",
	"created_at": "2026-04-06T01:30:34.846201Z",
	"updated_at": "2026-04-10T03:21:56.5034Z",
	"deleted_at": null,
	"sha1_hash": "2466d7e450ff25c0a70224d7de5d0e049d3332f2",
	"title": "Almost 100 Organizations in Brazil Targeted with Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48638,
	"plain_text": "Almost 100 Organizations in Brazil Targeted with Banking Trojan\r\nBy About the Author\r\nArchived: 2026-04-06 00:45:06 UTC\r\nUp to 100 organizations in Brazil have been targeted with a banking Trojan since approximately late August 2021,\r\nwith the most recent activity seen in early October.\r\nThis campaign appears to be a continuation of activity that was published about by researchers at ESET in 2020.\r\nThe attackers appeared to be undeterred by exposure and Symantec, a division of Broadcom Software, has found a\r\nlarge number of new indicators of compromise (IOCs) relating to this latest wave of attacks.\r\nSymantec’s Threat Hunter Team first became aware of this recent campaign when suspicious activity was spotted\r\nin a customer environment on September 30, 2021. This initial suspicious activity was detected by our Cloud\r\nAnalytics technology, and further investigation found that attempts were being made to download a suspicious file\r\nnamed mpr.dll onto the customer’s environment. Msiexec.exe was attempting to download the file from a\r\nsuspicious URL. Further analysis indicated that five files were downloaded, four of which were signed and\r\nappeared to be legitimate DLL files, but the file named mpr.dll was not signed and was suspiciously large for a\r\nsingle DLL file at 588 MB. Symantec researchers concluded that this was a “Latin American banking Trojan”, due\r\nto the similar characteristics and file names seen in this campaign and in the research into Latin American banking\r\nTrojans published by ESET in 2020.   \r\nFurther investigation by our analysts revealed similar activity had been aimed at multiple different organizations\r\nsince late August 2021. In fact, as many as 98 organizations may have been targeted with similar activity, with all\r\naffected organizations based in Brazil.\r\nThe sectors targeted with this activity included information technology, professional services, manufacturing,\r\nfinancial services, and government.\r\nWhat is a “Latin American banking Trojan”?\r\nBanking Trojans are a type of malware designed to steal victims’ online banking information so malicious actors\r\ncan access victims’ bank accounts. Once on a machine, the malware typically works by monitoring the websites\r\nvictims are visiting and comparing these to a hardcoded list. If the victim visits a banking website the Trojan will\r\ngenerally display a spoofed login page in a pop-up over the legitimate page in an attempt to harvest victims’\r\nbanking credentials. These pop-ups are generally made to imitate the specific banks’ legitimate login pages and\r\nare often quite convincing.  \r\nWhile once one of the biggest threats on the cyber-crime landscape, banking Trojans have been usurped in many\r\nparts of the world by ransomware in recent times. However, in Latin America particularly they still dominate a lot\r\nof cyber-crime activity.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil\r\nPage 1 of 3\n\nIn its 2020 report, ESET determined that there were 11 banking Trojan gangs operating in Latin America, and that\r\nthese groups cooperated with each other. It came to this conclusion due to the many shared tactics, tools, and\r\nprocedures used by the cyber criminals deploying banking Trojans in Latin America. \r\nAttack chain for recent activity\r\nWe did not observe what the initial infection vector was in this campaign, but it was likely a malicious URL\r\nspread via either spam email campaigns or through malvertising, which is typically the first step in Latin\r\nAmerican banking Trojan campaigns. Victims are then directed to one of the following malicious URLs:\r\nhxxps://centreldaconsulta[.]com/\r\nhxxps://www.centralcfconsulta[.]net/\r\nhxxps://centralcfconsulta[.]net/index3.php?api=vFUMIfUzGz2QdjxTFKAMyTlh\r\nhxxps://centralcfconsulta.net/\r\nhxxps://www.centralcfconsulta[.]net/index3.php?api=r0ubnHRxDycEy5uFPViNA55Y3t\r\nhxxps://www.centralcfconsulta[.]net/index3.php?\r\napi=4DQSbdp3hLqPRGTbOGtl7jCD9FKNViKXmKd9Lv\r\nhxxps://centreldaconsulta[.]com/index3.php?api=nJsdr1J3h0fsG18sRAVQt6JjVW\r\nhxxps://centreldaconsulta[.]com/index3.php?api=ThMyMCAQEOLIC9nO\r\nhxxps://www.centralcfconsulta[.]net/index3.php?api=wen1eIFCeUh0jAS3mWIDUhSLt3sXMQ\r\nVictims are then redirected to an Amazon Web Services (AWS) URL, which it appears the attackers abused to use\r\nas a command-and-control (C\u0026C) server. A ZIP file that contains a Microsoft Software Installer (MSI) file is\r\ndownloaded from the AWS infrastructure.\r\nESET reported that most gangs deploying banking Trojans in Latin America had started using MSI files as an\r\ninitial download in 2019. An MSI file can be used to install, uninstall, and update applications running on\r\nWindows systems.\r\nIf the victim double-clicks the MSI file inside the downloaded ZIP, it will execute msiexec.exe, which then\r\nconnects to a secondary C\u0026C server to download another ZIP file containing the payload (mpr.dll), along with\r\nother legitimate portable executable (PE) files. The URLs observed being accessed by msiexec.exe included:\r\nhxxp://13.36.240[.]208/ando998.002\r\nhxxp://13.36.240[.]208/msftq.doge\r\nhxxp://15.237.60[.]133/esperanca.lig2\r\nhxxp://15.237.60[.]133/esperanca.liga\r\nhxxp://52.47.163[.]237/microsft.crts\r\nhxxp://52.47.163[.]237/nanananao.uooo\r\nhxxp://15.237.27[.]77/carindodone.ways\r\nThe extracted ZIP file contains a renamed legitimate Oracle application - VBoxTray.exe. This is executed to load\r\nthe payload (mpr.dll) by way of DLL search-order hijacking. DLL search-order hijacking takes advantage of how\r\nWindows handles DLLs to allow an attacker to load malicious code into a legitimate process. The mpr.dll file is\r\nalso bigger than 100 MB in order to evade submission to security services, which tend not to process files above\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil\r\nPage 2 of 3\n\nthat size. Both of these files and this exact same process were observed in the banking Trojan activity detailed in\r\nESET’s report.\r\nPersistence is then created for the renamed VBoxTray.exe so that mpr.dll is always side-loaded into it by way of\r\neither Windows Registry or Windows Management Instrumentation (WMI). This is another common technique\r\nused in the attack chain for Latin American banking Trojans.\r\nStay alert for this activity\r\nThe various steps taken by the attackers behind this activity to evade detection - such as using a large file for the\r\npayload so that it won’t be scanned by security software, and leveraging legitimate processes and applications for\r\nmalicious purposes - show that those behind this attack campaign are reasonably sophisticated actors. The number\r\nof organizations affected in this campaign also indicates that a large number of people are likely responsible for\r\nthis activity - and it may be that more than one group is behind this activity. It could be a number of groups acting\r\nin a cooperative manner, as ESET said may be the approach taken by the various banking Trojan attack groups\r\noperating in Latin America.\r\nWhile ransomware dominates much of the discussion on the cyber-crime landscape at the moment, it is important\r\nto remember it is not the only threat out there. Banking Trojans have the potential to be a costly problem for\r\nindividuals and organizations, so people, especially those based in Latin America where this activity appears to be\r\nparticularly prevalent, need to remain alert to this threat.\r\nSimple steps, like ensuring you have multi-factor authentication enabled on all financial accounts, can help lessen\r\nthe impact of threats like these.\r\nProtection\r\nFile-based:\r\nInfostealer.Bancos\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IOCs)\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil"
	],
	"report_names": [
		"banking-trojan-latam-brazil"
	],
	"threat_actors": [],
	"ts_created_at": 1775439034,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2466d7e450ff25c0a70224d7de5d0e049d3332f2.pdf",
		"text": "https://archive.orkl.eu/2466d7e450ff25c0a70224d7de5d0e049d3332f2.txt",
		"img": "https://archive.orkl.eu/2466d7e450ff25c0a70224d7de5d0e049d3332f2.jpg"
	}
}