Urgent: Contract Scam Spreads CHAVECLOAK Banking Trojan

Specialists at FortiGuard Labs have uncovered a new threat to the financial sector in South America, specifically targeting Brazilian residents for bank credential theft. The banking trojan, dubbed CHAVECLOAK, is spread via an infected PDF file disguised as a contract. Victims are enticed to open the file under the pretense of reading and signing documents, which in reality, initiates the download of the malware. Upon opening the PDF file, a ZIP archive is downloaded, which then extracts an MSI file containing numerous text files for different languages, a legitimate executable, and a malicious DLL library, the latter of which is loaded through the DLL Sideloading technique.

CHAVECLOAK, masquerading as “Lightshot.dll,” commences its operation by gathering system information, establishing itself in the system’s startup routine, and making requests to a Command and Control (C2) server. Should the victim reside in Brazil, the program activates monitoring of the active window and, upon detecting a banking system or cryptocurrency platform window, begins to collect login and password information. The trojan specifically attempts to intercept connections to Mercado Bitcoin—a significant cryptocurrency exchange with traditional banking features.

Additionally, CHAVECLOAK is capable of locking the victim’s screen, logging keystrokes, and displaying fraudulent pop-up windows. The stolen data are transmitted to a C2 server, from which the cybercriminals can utilize them for further attacks.

An earlier version of CHAVECLOAK has also been documented, distinguished by its method of distribution and post-infection actions. This “outdated” version contains a Delphi executable that deploys the final payload and employs PowerShell commands to circumvent Windows Defender protection.

The emergence of the CHAVECLOAK trojan underscores the escalating threat level in the financial sector, particularly among users in Brazil. Trojans like CHAVECLOAK demand vigilant attention and proactive security measures to protect against the evolving threats within South America’s financial realm.

Beyond CHAVECLOAK, Brazil has previously been the focus of other cybercriminal campaigns. For instance, in early February, specialists from Kaspersky Lab discovered the Coyote banking trojan, targeting users of more than 60 banking institutions, predominantly in Brazil. A notable feature of this banking trojan is its complex infection chain, which leverages various advanced technologies, setting Coyote apart from other banking trojans.

Furthermore, in January, the activities of the Grandoreiro botnet were thwarted, resulting in victims suffering losses totaling $3.9 million. The majority of these victims were Windows users, with the highest number of attacks recorded in Brazil, Mexico, and Spain.