{
	"id": "d09374bf-8286-4f80-ae05-7da617e954fa",
	"created_at": "2026-04-06T00:12:01.733181Z",
	"updated_at": "2026-04-10T13:11:18.108501Z",
	"deleted_at": null,
	"sha1_hash": "f57c07433a1d2eae357d6c51b81ae01516670094",
	"title": "Ousaban: LATAM Banking Malware Abusing Cloud Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 244021,
	"plain_text": "Ousaban: LATAM Banking Malware Abusing Cloud Services\r\nBy Gustavo Palazolo\r\nPublished: 2022-08-04 · Archived: 2026-04-05 14:55:02 UTC\r\nSummary\r\nOusaban (a.k.a. Javali) is a banking malware that emerged between 2017 and 2018, with the primary goal of\r\nstealing sensitive data from financial institutions in Brazil. This malware is developed in Delphi and it comes from\r\na stream of LATAM banking trojans sourced from Brazil, sharing similarities with other families like Guildma,\r\nCasbaneiro, and Grandoreiro. Furthermore, the threat often abuses cloud services, such as Amazon S3 to\r\ndownload second stage payloads, and Google Docs to retrieve the C2 configuration.\r\nNetskope Threat Labs came across recent Ousaban samples that are abusing multiple cloud services throughout\r\nthe attack flow, such as Amazon or Azure to download its payloads and log the victim’s IP, and Pastebin to retrieve\r\nthe C2 configuration. The malware is downloaded through MSI files either by a JavaScript or a Delphi DLL, and\r\nis targeting more than 50 financial institutions in Brazil. Furthermore, we also found Telegram abuse in the\r\nmalware code, likely used for C2 communication via Webhooks.\r\nIn this blog post, we will analyze Ousaban, showing its delivery methods, obfuscation techniques, and C2\r\ncommunication.\r\nDelivery methods\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 1 of 24\n\nOusaban is delivered through malicious MSI files spread in phishing emails. In this campaign, we found that the\r\nMSI file downloads and executes the second stage either through JavaScript or a PE file.\r\nDelivery by JavaScript\r\nIn the first scenario, the JavaScript is executed via CustomAction.\r\nMSI file executing JavaScript.\r\nThe JavaScript code is obfuscated, likely in an attempt to slow down analysis.\r\nJavaScript code extracted from the MSI file\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 2 of 24\n\nLooking at the deobfuscated code, these are the steps executed by the malware:\r\n1. Creates an empty file to be used as a flag in case the MSI is executed twice (similar concept as Mutex\r\nusage);\r\n2. Downloads the second stage from the cloud, either from Amazon or Azure;\r\n3. Decompress the ZIP file downloaded from the cloud and renames the main executable;\r\n4. Sends a simple GET request to another URL (Azure or another attacker-controlled server), alerting the\r\nattacker and logging the victim’s IP;\r\n5. Executes the main file via WMIC.\r\nDeobfuscated JavaScript extracted from the MSI file.\r\nDelivery by File\r\nWe also found Ousaban being delivered without JavaScript. In this case, we can see a file named\r\n“avisoProtesto.exe” being executed via MSI CustomAction.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 3 of 24\n\nMSI executing a PE file.\r\n“avisoProtesto.exe” is a signed and non-malicious binary exploited to execute the malicious DLL via DLL search\r\norder hijacking.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 4 of 24\n\nNon-malicious binary used to load the malicious DLL.\r\nThis is possible because the non-malicious binary loads a DLL named “crashreport.dll” without specifying the real\r\npath of the library. Therefore, the attacker places a DLL with the same name in the same folder of the executable,\r\nmaking it load the malicious DLL instead.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 5 of 24\n\nBinary vulnerable to DLL hijacking.\r\nIn this case, both next-stage and tracker URL are loaded from a text file, named “FileLinks”.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 6 of 24\n\nMalicious URLs loaded by the malware.\r\nAll the files we analyzed were downloading the next stage from the cloud, either Amazon or Azure. In some cases,\r\nthe URL used to log the victim’s IP address was also from Azure. All the URLs can be found in our GitHub\r\nrepository.\r\nLoading the second stage\r\nThe binary downloaded from the cloud is a ZIP file containing the next stage payload, which is a Delphi DLL\r\nexecuted by a non-malicious binary.\r\nFiles downloaded from the cloud.\r\nThe file executed by the malware is a non-malicious executable with a valid signature (“Securityo6Z3.exe”).\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 7 of 24\n\nCertificate found in the file executed by the malware.\r\nThe malicious DLL is then loaded by the non-malicious binary through a DLL search order hijacking\r\nvulnerability, the same technique that is used by some of the downloaders.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 8 of 24\n\nNon-malicious binary loading the next stage DLL.\r\nSecond stage\r\nThe second stage is a Delphi malware responsible for decrypting and loading Ousaban’s payload in the following\r\nflow:\r\n1. Loads the encrypted bytes of Ousaban from disk;\r\n2. Decrypts Ousaban payload using a key stored in the “.data” section;\r\n3. Decrypts the code that runs Ousaban using the same key, stored in the “.data” section.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 9 of 24\n\nDecryption key and encrypted code stored in the “.data” section of the second stage.\r\nThe encrypted payload of Ousaban is located among the files downloaded from the cloud, named\r\n“ZapfDingbats.pdf”.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 10 of 24\n\nThird stage encrypted among files downloaded from the cloud.\r\nOnce running, the second stage loads Ousaban’s encrypted bytes, which will be decrypted using the key stored in\r\nthe PE “.data” section.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 11 of 24\n\nEncrypted Ousaban payload being loaded.\r\nAside from decrypting the payload, the second stage also decrypts the code that will execute Ousaban in runtime,\r\nprobably to slow down reverse engineering.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 12 of 24\n\nSecond stage decrypting and loading Ousaban payload.\r\nWe created a Python script that can be used to statically decrypt Ousaban payloads, using the same algorithm\r\nfound in the malware. The code can be found in our GitHub repository.\r\nImportant API calls used by this stage are also dynamically resolved, another common technique to slow down\r\nreverse engineering.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 13 of 24\n\nAPIs dynamically loaded by the malware.\r\nOusaban payload\r\nOusaban is a Delphi banking trojan, mainly focused on stealing sensitive data from financial institutions in Brazil.\r\nAs previously mentioned, Ousaban shares many similarities with other Brazilian banking malware, such as the\r\nalgorithm to decrypt the strings and overlay capabilities.\r\nOusaban commonly packs/protects its payloads with UPX or Enigma.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 14 of 24\n\nOusaban payload packed with UPX.\r\nOne of the most characteristic aspects of Brazilian-sourced banking malware is the algorithm used to\r\nencrypt/decrypt important strings.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 15 of 24\n\nOusaban encrypted strings.\r\nThe algorithm used as a base by these trojans was originally demonstrated in a Brazilian magazine called “Mestres\r\nDa Espionagem Digital” in 2008. Simply put, it parses the hexadecimal string and uses a chained XOR operation\r\nwith the key and the previous byte of the string.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 16 of 24\n\nPart of the algorithm to decrypt the strings, commonly found in Brazilian banking malware.\r\nWe created a Python script that can be used to decrypt strings from malware that uses this algorithm, such as\r\nOusaban, Guildma, Grandoreiro, and others. The code can be used to decrypt a single string:\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 17 of 24\n\nDecrypting a single string from the malware.\r\nOr to decrypt multiple strings at once, saving the result in a JSON file and also providing the option to show in the\r\nconsole.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 18 of 24\n\nDecrypting multiple strings from the malware.\r\nLike other Brazilian-sourced malware, Ousaban monitors the title text from the active window and compares it\r\nwith a list of strings, to verify if the victim is accessing the website or an application of one of its targets.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 19 of 24\n\nMalware monitoring windows titles.\r\nIn the files we analyzed, we found Ousaban targeting over 50 different financial institutions. If the window title\r\nmatches one of the targets, Ousaban starts the communication with the C2 address, providing the option to the\r\nattacker to access the machine remotely.\r\nC2 communication\r\nOusaban stores the C2 address remotely. In this case, the malware is using Pastebin to fetch the data. In 2021, this\r\nmalware was also spotted using Google Docs to fetch this information.\r\nWithin the files downloaded from the cloud by the first stage, there’s a file named “Host”, which stores the\r\nexternal location of the C2 configuration. The information is encrypted with the same algorithm used in the\r\nstrings.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 20 of 24\n\nC2 configuration stored on Pastebin.\r\nThe data is stored in a dictionary, where the C2 host is also encrypted with the same algorithm used in the strings.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 21 of 24\n\nRetrieving and decrypting the C2 server address.\r\nOusaban only starts the communication once a targeted company is identified.\r\nOusaban C2 communication.\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 22 of 24\n\nLastly, the Ousaban samples we analyzed contain a routine to communicate via Telegram using Webhooks, likely\r\nto be used as a secondary channel.\r\nPart of Ousaban code to communicate via Telegram.\r\nConclusion\r\nOusaban is a malware designed to steal sensitive information from several financial institutions, mainly based in\r\nBrazil. Ousaban shares many similarities with other Brazilian-based banking trojans, such as Guildma and\r\nGrandoreiro. Also, as we demonstrated in this analysis, the attackers behind this threat are abusing multiple cloud\r\nservices throughout the attack chain. We believe that the use of the cloud will continue to grow among attackers\r\nespecially due to cost and ease.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 23 of 24\n\nNetskope Threat Protection\r\nWin32.Malware.Heuristic\r\nWin32.Infostealer.Heuristic\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nAll the IOCs related to this campaign and scripts can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nhttps://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services\r\nPage 24 of 24\n\n https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services    \nDecryption key and encrypted code stored in the “.data” section of the second stage.\nThe encrypted payload of Ousaban is located among the files downloaded from the cloud, named\n“ZapfDingbats.pdf”.     \n   Page 10 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services"
	],
	"report_names": [
		"ousaban-latam-banking-malware-abusing-cloud-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434321,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f57c07433a1d2eae357d6c51b81ae01516670094.pdf",
		"text": "https://archive.orkl.eu/f57c07433a1d2eae357d6c51b81ae01516670094.txt",
		"img": "https://archive.orkl.eu/f57c07433a1d2eae357d6c51b81ae01516670094.jpg"
	}
}