[MART] - Daily Diary #469 - Maxtrilha Banking Trojan Targets Portugal

CTAS-MAT ctas-mat at appgate.com
Mon Mar 14 22:32:55 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

03/14/2022 - Diary entry #469:

Maxtrilha is a Brazilian banking Remote Access Trojan (RAT) that, like other Brazilian malware families, targets banks' customers from other countries (especially from LATAM and Europe). Recently, a new Maxtrilha campaign was spotted impacting end-users in Portugal.

This new campaign has multiple stages until the final payload is launched. Maxtrilha is spread via spam campaigns disguised as Portuguese Tax services with a URL that downloads an HTML file. The HTML file downloads a shortcut file, disguised as an installer (that needs to be executed by the victim), containing a command to download and execute an MSI file. Then, the MSI file downloads an executable responsible for downloading the next-stage payloads and, finally, extracting and launching the main module containing the RAT capabilities.

The final payload, like most Brazilian RATs, is written in Delphi and contains the usual capabilities like collecting keystrokes and clipboard data, inserting overlay windows when the victim access an internet banking or a targeted website, and sending the victim's data to a C2 server that, in this recent campaign, was curiously hosted in Russia.

Brazilian banking Trojans use a multi-staged attack chain that allowed them to become more resilient and their capabilities are easily configurable to aim targets on other countries. Besides that, they are always evolving their attack chain so each campaign can infect as many victims as possible to achieve their ultimate goal: steal money.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220314/7c180993/attachment.htm>

More information about the MART mailing list