{
	"id": "36a6b6d7-0f6e-4a9e-8d39-4ba7207c5c05",
	"created_at": "2026-04-06T00:08:21.223563Z",
	"updated_at": "2026-04-10T13:11:48.899522Z",
	"deleted_at": null,
	"sha1_hash": "371b0a8448e6c782c0552fd1428e33f9989c619d",
	"title": "From Carnaval to Cinco de Mayo – The journey of Amavaldo",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 582566,
	"plain_text": "From Carnaval to Cinco de Mayo – The journey of Amavaldo\r\nBy ESET Research\r\nArchived: 2026-04-05 14:59:29 UTC\r\nAt the end of 2017, a group of malware researchers from ESET’s Prague lab decided to take a deeper look at the infamous\r\nDelphi-written banking trojans that are known to target Brazil. We extended our focus to other parts of Latin America (such\r\nas Mexico and Chile) soon after as we noticed many of these banking trojans target those countries as well. Our main goal\r\nwas to discover whether there is a way to classify these banking trojans and to learn more about their behavior in general.\r\nWe have learned a lot – we have identified more than 10 new malware families, studied the distribution chains and linked\r\nthem to the new families accordingly, and dissected the internal behavior of the banking trojans. In this initial blog post, we\r\nwill start by describing this type of banking trojan in general and then move to the first newly identified malware family\r\nwe’ll discuss – Amavaldo.\r\nWhat sets Latin American banking trojans apart?\r\nBefore moving further, let’s define the characteristics of this type of banking trojan:\r\nIt is written in the Delphi programming language\r\nIt contains backdoor functionality\r\nIt uses long distribution chains\r\nIt may divide its functionality into multiple components\r\nIt usually abuses legitimate tools and software\r\nIt targets Spanish- or Portuguese-speaking countries\r\nWe have encountered other common characteristics during our research. Most Latin American banking trojans we have\r\nanalyzed connect to the C\u0026C server and stay connected, waiting for whatever commands the server sends. After receiving a\r\ncommand, they execute it and wait for the next one. The commands are probably pushed manually by the attacker. You can\r\nthink of this approach as a chat room where all the members react to what the admin writes.\r\nThe C\u0026C server address seems to be the resource these malware authors protect the most. We have encountered many\r\ndifferent approaches to hiding the actual address, which we will discuss in this series of blog posts. Besides the C\u0026C server,\r\na unique URL is used by the malware to submit victim identification information. This helps the attackers to keep track of\r\ntheir victims.\r\nBanking trojans from Latin America usually use little-known cryptographic algorithms and it is common that different\r\nfamilies use the same ones. We have identified a book and a Delphi freeware library the authors were apparently inspired by.\r\nThe fact that this malware is written in Delphi indicates the executable files are at least a few megabytes in size because the\r\nDelphi core is present in every binary. Additionally, most Latin American banking trojans contain a large number of\r\nresources, which further increases the file size. We have even encountered samples with file sizes reaching several hundred\r\nmegabytes. In those cases, the file size has been deliberately increased in order to avoid detection.\r\nDiscovering malware families\r\nWhen analyzing such an executable, it is usually not very hard to decide quickly that it is a malicious banking trojan.\r\nBesides the aforementioned characteristics, the authors tend to copy each other’s work or to derive their malware from a\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 1 of 12\n\ncommon source. As a result of that, most of the Latin American banking trojans look alike. This is the main reason why we\r\nmostly see only generic detections.\r\nOur research started with identifying strong characteristics that would allow us to establish malware families. Over time, we\r\nwere able to do so and identified more than 10 new ones. The characteristics we used were mainly how strings are stored,\r\nhow the C\u0026C server address is obtained and other code similarities.\r\nFollowing the distribution chains\r\nThe simplest way that these malware families are delivered is by utilizing a single downloader (a Windows executable file)\r\nspecific to that family. This downloader sometimes masquerades as a legitimate software installer. This method is simple,\r\nbut also the less common one.\r\nMuch more common is to use a multistage distribution chain that typically employs several layers of downloaders written in\r\nscripting languages such as JavaScript, PowerShell and Visual Basic Script (VBS). Such a chain typically consists of at least\r\nthree stages. The final payload is typically delivered in a zip archive that contains either only the banking trojan or additional\r\ncomponents along with it. The main advantage, to the malware authors, of this method is that it is quite complicated for\r\nmalware researchers to reach the very end of the chain and thereby analyze the final payload. However, it is also much\r\neasier for a security product to stop the threat because it only needs to break one link in the chain.\r\nMoney-stealing strategy\r\nUnlike most banking trojans, those from Latin America do not utilize web-injection – instead they use a form of social\r\nengineering. They continuously detect active windows on the victim’s computer and if they find one related to a bank, they\r\nlaunch their attack.\r\nThe purpose of the attack is almost always to persuade the user that some special, urgent and necessary action is required.\r\nThis can be an update of the banking application used by the victim, or verification of credit card information or bank\r\naccount credentials. A fake popup window then steals the data after the victim enters it (an example is seen in Figure 1) or a\r\nvirtual keyboard acts as a keylogger as seen in Figure 2. The sensitive information is then sent to the attackers who can\r\nabuse it in any way they see fit.\r\nFigure 1. Fake popup window that tries to steal an authorization code (Translation: Anti-intrusion tool. Your security is the\r\nfirst priority. Enter your signature)\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 2 of 12\n\nFigure 2. Virtual keyboard with a keylogger (Translation: Card Password. Enter your card password by clicking on the\r\nbuttons)\r\nAmavaldo\r\nWe named the malware family described in the rest of this blog post Amavaldo. This family is still in active development –\r\nthe latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.\r\nThis is an example of modular malware whose final payload ZIP archive contains three components:\r\n1. A copy of a legitimate application (EXE)\r\n2. An injector (DLL)\r\n3. An encrypted banking trojan (decrypts to DLL)\r\nFigure 3 displays the contents of an example Amavaldo final payload ZIP archive.\r\nFigure 3. Amavaldo components extracted in a folder. The components are: ctfmon.exe (legitimate application),\r\nMsCtfMonitor (encrypted banking trojan), MsCtfMonitor.dll (injector).\r\nThe downloader stores all the ZIP archive contents to the hard drive in the same folder. The injector has a name chosen to\r\nmatch that of a DLL used by the bundled, legitimate application. Before the downloader exits, it executes the legitimate\r\napplication. Then:\r\nThe injector is executed via DLL Side-Loading\r\nThe injector injects itself into wmplayer.exe or iexplore.exe\r\nThe injector searches for the encrypted banking trojan (an extensionless file whose name matches that of the injector\r\nDLL)\r\nIf such a file is found, the injector decrypts and executes the banking trojan\r\nCharacteristics\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 3 of 12\n\nBesides the modular structure, the strongest identifying characteristic is the custom encryption scheme used for string\r\nobfuscation (Figure 4). As you can see, aside from the key (green) and encrypted data (blue), the code is also filled with\r\ngarbage strings (red) that are never used. We provide simplified pseudocode in Figure 5 to emphasize the algorithm’s logic.\r\nThis string handling routine is used by the banking trojan itself, the injector and even the downloader that we will describe\r\nlater. Unlike many other Latin American banking trojans, this routine does not appear to be inspired by the book mentioned\r\nearlier.\r\nFigure 4. String obfuscation in Amavaldo\r\nFigure 5. Amavaldo string decryption pseudocode. This algorithm does not seem to be inspired by the book mentioned\r\nearlier.\r\nAdditionally, the latest versions of this family can be identified by a mutex that seems to have the constant name\r\n{D7F8FEDF-D9A0-4335-A619-D3BB3EEAEDDB}.\r\nAmavaldo first collects information about the victim that consists of:\r\nComputer and OS identification\r\nWhat kind of banking protection the victim has installed. The information is gathered from searching the following\r\nfilesystem paths:\r\n%ProgramFiles%\\Diebold\\Warsaw\r\n%ProgramFiles%\\GbPlugin\\\r\n%ProgramFiles%\\scpbrad\\\r\n%ProgramFiles%\\Trusteer\r\n%ProgramFiles%\\AppBrad\\\r\n%LocalAppData%\\Aplicativo Itau\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 4 of 12\n\nThe newer versions communicate via SecureBridge, a Delphi library that provides SSH/SSL connections.\r\nAs with many other such banking trojans, Amavaldo supports several backdoor commands. The capabilities of these\r\ncommands include:\r\nObtaining screenshots\r\nCapturing photos of the victim via webcam\r\nLogging keystrokes\r\nDownloading and executing further programs\r\nRestricting access to various banking websites\r\nMouse and keyboard simulation\r\nSelf-updating\r\nAmavaldo uses a clever technique when launching the attack on its victim that is similar to what Windows UAC does. After\r\ndetecting a bank-related window, it takes a screenshot of the desktop and makes it look like the new wallpaper. Then it\r\ndisplays a fake popup window chosen based on the active window’s text while disabling multiple hotkeys and preventing the\r\nvictim from interacting with anything else but the popup window.\r\nOnly Brazilian banks had been targeted when we have first encountered this malware family, but it has extended its range\r\nsince April 2019 to Mexican banks as well. Even though the previously used Brazilian targets are still present in the\r\nmalware, based on our analysis the authors focus only on Mexico now.\r\nDistribution\r\nWe were able to observe two distribution chains – one early this year and a second one since April.\r\nDistribution chain 1: Targeting Brazil\r\nWe first observed this chain in January 2019 targeting victims in Brazil. The authors decided to use an MSI installer, VBS,\r\nXSL (Extensible Stylesheet Language) and PowerShell for distribution.\r\nThe whole chain starts with an MSI installer that the victim expects will install Adobe Acrobat Reader DC. It utilizes two\r\nlegitimate executables: AICustAct.dll (to check for an available internet connection) and VmDetect.exe (to detect virtual\r\nenvironments).\r\nFigure 6. Error message when the downloader runs inside a virtual machine (left) or without an internet connection (right)\r\nOnce the fake installer is executed, it makes use of an embedded file that, besides strings, contains a packed VBS\r\ndownloader (Figure 7). After unpacking (Figure 8), it downloads yet another VBS downloader (Figure 9). Notice that the\r\nsecond VBS downloader abuses the Microsoft Windows WMIC.exe to download the next stage - an XSL script (Figure 10)\r\nwith embedded, encoded PowerShell. Finally, the PowerShell script (Figure 11) is responsible for downloading the final\r\npayload – a zip archive with multiple files, as listed in Table 1. It also ensures persistence by creating a scheduled task\r\nnamed GoogleBol.\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 5 of 12\n\nFigure 7. The first stage. A packed VBS downloader (highlighted in red) embedded inside the MSI installer.\r\nFigure 8. The unpacked first stage\r\nFigure 9. The unpacked second stage. WMIC.exe is abused to execute the next stage.\r\nFigure 10. The third stage. A large XSL script that contains embedded, encoded PowerShell script (highlighted in red).\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 6 of 12\n\nFigure 11. The fourth (final) stage. An obfuscated PowerShell script that downloads the final payload and executes it.\r\nIn Table 1 you can see two sets of payloads and injectors, both using the execution method described earlier. The\r\nNvSmartMax[.dll] has been used to execute Amavaldo. The libcurl[.dll] is not directly related to Amavaldo, since it executes\r\na tool that is used to automatically register a large number of new email accounts using the Brasil Online (BOL) email\r\nplatform. These created email logins and passwords are sent back to the attacker. We believe it to be a setup for a new spam\r\ncampaign.\r\nTable 1. Contents of the final payload archive and their descriptions\r\nnvsmartmaxapp.exe Legitimate application 1\r\nNvSmartMax.dll Injector 1\r\nNvSmartMax Payload 1\r\nGup.exe Legitimate application 2\r\nlibcurl.dll Injector 2\r\nLibcurl Payload 2\r\ngup.xml Configuration file for gup.exe\r\nDistribution chain 2: Targeting Mexico\r\nThe most recent distribution chain we have observed starts with a very similar MSI installer. The difference is that this time,\r\nit contains an embedded Windows executable file that serves as the downloader. The installer ends with a fake error message\r\n(Figure 12). Right after, the downloader is executed. Persistence is ensured the by creating a scheduled task (as in the first\r\nchain), this time named Adobe Acrobat TaskB (Figure 13). Then it downloads all the Amavaldo components (no email tool\r\nhas been observed this time) and executes the banking trojan.\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 7 of 12\n\nFigure 12. The fake error message displayed by the installer\r\nFigure 13. The scheduled task created by the downloader\r\nWe believe that companies are being targeted via a spam campaign by this method. The initial files are named\r\nCurriculumVitae[…].msi or FotosPost[…].msi. We think that the victims are deceived into clicking on a link in an email\r\nmessage that leads them to downloading what they believe is a CV. Since it should be a PDF, running an apparent\r\ninstallation of Adobe Acrobat Reader DC may seem legitimate as well.\r\nSince the authors decided to use the bit.ly URL shortener, we can observe additional information about their campaigns\r\n(Figures 14 and 15). As we can see, the vast majority of the clicks on those URLs were geolocated in Mexico. The fact that\r\nemail is the most frequent referrer supports our assumption about spam being the distribution vector.\r\nFigure 14. Statistics for a recent Amavaldo campaign targeting Mexico (1)\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 8 of 12\n\nFigure 15. Statistics for a recent Amavaldo campaign targeting Mexico (2)\r\nConclusion\r\nIn this blog post, we have introduced our research into the banking trojans of Latin America. We have described what is\r\ntypical for such malware and how it operates. We have also presented what key features we have used to establish malware\r\nfamilies.\r\nWe have described the first malware family – Amavaldo – its most typical features and targets, and analyzed recent\r\ndistribution chains in detail. Amavaldo shares many typical characteristics of Latin America banking trojans. It splits its\r\nfunctionality into several components, so that having only one component is not enough for analysis. It abuses legitimate\r\napplications to execute itself and to detect virtual environments. It tries to steal banking information from Brazilian and\r\nMexican banks and contains backdoor functionality as well.\r\nFor any inquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found on our GitHub.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nFirst distribution chain (Brazil) hashes\r\nSHA-1 Description ESET detection name\r\nE0C8E11F8B271C1E40F5C184AFA427FFE99444F8\r\nDownloader (MSI\r\ninstaller)\r\nTrojan.VBS/TrojanDownloader.Agent.QS\r\n12C93BB262696314123562F8A4B158074C9F6B95\r\nAbuse legitimate\r\napplication\r\n(NvSmartMaxApp.exe)\r\nClean file\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 9 of 12\n\nSHA-1 Description ESET detection name\r\n6D80A959E7F52150FDA2241A4073A29085C9386B\r\nInjector for Amavaldo\r\n(NvSmartMax.dll)\r\nWin32/Spy.Amavaldo.P trojan\r\nB855D8B1BAD07D578013BDB472122E405D49ACC1\r\nAmavaldo (decrypted\r\nNvSmartMax)\r\nWin32/Spy.Amavaldo.N trojan\r\nFC37AC7523CF3B4020EC46D6A47BC26957E3C054\r\nAbused legitimate\r\napplication (gup.exe)\r\nClean file\r\n4DBA5FE842B01B641A7228A4C8F805E4627C0012\r\nInjector for email tool\r\n(libcurl.dll)\r\nWin32/Spy.Amavaldo.P trojan\r\n9A968341C65AB47BF5C7290F3B36FCF70E9C574B\r\nEmail tool (decrypted\r\nlibcurl)\r\nWin32/Spy.Banker.AEGH trojan\r\nSecond distribution chain (Mexico) hashes\r\nSHA-1 Description ESET detection name\r\nAD1FCE0C62B532D097DACFCE149C452154D51EB0\r\nDownloader (MSI\r\ninstaller)\r\nWin32/TrojanDownloader.Delf.CSG\r\ntrojan\r\n6C04499F7406E270B590374EF813C4012530273E\r\nAbused legitimate\r\napplication\r\n(ctfmon.exe)\r\nClean file\r\n1D56BAB28793E3AB96E390F09F02425E52E28FFC\r\nInjector for\r\nAmavaldo\r\n(MsCtfMonitor.dll)\r\nWin32/Spy.Amavaldo.U trojan\r\nB761D9216C00F5E2871DE16AE157DE13C6283B5D\r\nAmavaldo\r\n(decrypted\r\nMsCtfMonitor)\r\nWin32/Spy.Amavaldo.N trojan\r\nOther\r\nSHA-1 Description\r\nESET detection\r\nname\r\nB191810094DD2EE6B13C0D33458FAFCD459681AE\r\nVmDetect.exe – a tool for detecting\r\nvirtual environment\r\nClean file\r\nB80294261C8A1635E16E14F55A3D76889FF2C857\r\nAICustAct.dll – a tool for checking\r\ninternet connectivity\r\nClean file\r\nMutex\r\n{D7F8FEDF-D9A0-4335-A619-D3BB3EEAEDDB}\r\nFilenames\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 10 of 12\n\n%LocalAppData%\\%RAND%\\NvSmartMax[.dll]\r\n%LocalAppData%\\%RAND%\\MsCtfMonitor[.dll]\r\n%LocalAppData%\\%RAND%\\libcurl[.dll]\r\nScheduled task\r\nGoogleBol\r\nAdobe Acrobat TaskB\r\nC\u0026C servers\r\nclausdomain.homeunix[.]com:3928\r\nbalacimed.mine[.]nu:3579\r\nfbclinica.game-server[.]cc:3351\r\nnewcharlesxl.scrapping[.]cc:3844\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1192 Spearphishing Link\r\nThe initial attack vector is a malicious link in an email\r\nthat leads the victim to a web page the downloader is\r\nobtained from.\r\nExecution\r\nT1073 DLL Side-Loading\r\nThe injector component is executed by abusing a\r\nlegitimate application with this technique.\r\nT1086 PowerShell\r\nThe first distribution chain uses PowerShell in its last\r\nstage.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nThe first distribution chain abuses WMIC.exe to execute\r\nthe third stage.\r\nPersistence T1053 Scheduled Task Persistence is ensured by a scheduled task.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe actual banking trojan needs to be decrypted by the\r\ninjector component.\r\nT1036 Masquerading\r\nThe injector masks itself as a DLL imported by the\r\nabused legitimate application. The downloader masks\r\nitself as an installer for Adobe Acrobat Reader DC.\r\nT1055 Process Injection\r\nThe injector injects itself into wmplayer.exe or\r\niexplore.exe.\r\nT1064 Scripting\r\nVBS, PowerShell and XSL are used in the first\r\ndistribution chain.\r\nT1220 XSL Script Processing\r\nThe first distribution chain uses XSL processing in its\r\nthird stage.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nDownloader of Amavaldo uses third-party tools to detect\r\nvirtual environment.\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 11 of 12\n\nTactic ID Name Description\r\nCredential\r\nAccess\r\nT1056 Input Capture\r\nAmavaldo contains a command to execute a keylogger.\r\nIt also steals contents from fake windows it displays.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nAmavaldo searches for various filesystem paths in order\r\nto determine what banking protection applications are\r\ninstalled on the victim machine.\r\nT1082 System Information Discovery\r\nAmavaldo extracts information about the operating\r\nsystem.\r\nCollection\r\nT1113 Screen Capture Amavaldo contains a command to take screenshots.\r\nT1125 Video Capture\r\nAmavaldo contains a command to capture photos of the\r\nvictim via webcam.\r\nCommand and\r\nControl\r\nT1024\r\nCustom Cryptographic\r\nProtocol\r\nAmavaldo uses a unique cryptographic protocol.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nAmavaldo uses the SecureBridge Delphi library to\r\nperform SSH connections.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nAmavaldo sends the data it collects to its C\u0026C server.\r\nSource: https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nhttps://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/"
	],
	"report_names": [
		"banking-trojans-amavaldo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434101,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/371b0a8448e6c782c0552fd1428e33f9989c619d.pdf",
		"text": "https://archive.orkl.eu/371b0a8448e6c782c0552fd1428e33f9989c619d.txt",
		"img": "https://archive.orkl.eu/371b0a8448e6c782c0552fd1428e33f9989c619d.jpg"
	}
}