[MART] [MART ] - Daily Diary #346 - Meet Maxtrilha, A New Brazilian RAT

CTAS-MAT ctas-mat at appgate.com
Mon Sep 13 22:52:58 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

09/13/2021 - Diary entry #346:

A new banking malware named Maxtrilha has been found targeting financial institutions users in Europe and South America. It's disseminated through Phishing campaigns impersonating local authorities such as the "Autoridade Tributária e Aduaneira – Finanças" from Portugal.

Maxtrilha is another Brazilian strain of Remote Access Trojan. It has the same characteristics as the samples developed by criminals in Brazil, such as being developed in Delphi language. However, Maxtrilha samples are 64-bits binaries, which is not too common among other Brazilian malware samples.

The first stage of this malware opens a legitimate page during its execution to corroborate with its phishing spreading campaign. Next, it sends information about the victim's machine to the C2 server, creates persistence in the infected machine, disables some features on the Internet Explorer, and downloads the final payload.

When the final payload is executed, it checks the internet connection and gets the victim's IP address and their geolocation. Next, it starts to monitor the victim's running applications' names to identify whether a banking institution is being accessed in order to establish a remote connection with the fraudster. Then, the malware can receive commands to lock the victim's screen, show an overlay image to impersonate the institution, while the criminal performs fraudulent transactions.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210913/b14b18f0/attachment.htm>

More information about the MART mailing list