Boleto Malware Targeting Brazilian Banks

Cyber criminals have been targeting the Boleto payment method in Brazil throughout the past year, leading to an estimated $3.75 billion in losses (Update: this previously reported number might have been over stated by RSA), according to a recent report issued by RSA, the security division of EMC. The report details the actions of one specific fraud ring — the “Boleto bandits” — and discusses the Boleto malware they use to commit fraud. The report is very helpful in exposing this dangerous threat, which is well known to the Brazilian banking industry, to the general public. Like every bit of news, there is always more to the story.

Trusteer researchers have discovered two additional malware families targeting the Boleto payment system that operate quite differently from the Eupuds malware variant discussed in the RSA report. These new Boleto malware families are not yet known to the industry as financial, or Boleto-related, malware. Trusteer research shows that approximately one in every 900 machines in Brazil is infected with some form of Boleto malware at any given point. We are now sharing more details on these new malware families to help the industry combat the rising threat of Boleto payment malware.

We at Trusteer, an IBM company, have been effectively fighting Boleto — officially “Boleto Bancário” — malware for over a year, successfully protecting our Brazilian bank clients from Boleto-related malware attacks. We would like to take this opportunity to contribute some of our insights to help clarify the current state of this malware.

Boleto Malware Really Is a Multiheaded Monster

The recent RSA report focuses on one specific type of Boleto malware that uses Web injection techniques to modify Boleto payee fields. Since Boleto malware’s initial discovery early last year, we have seen multiple crime rings develop different types of malware attacks against Boleto payments, with at least three distinct major malware approaches currently in operation. Each of these malware approaches have multiple variants that all aim to modify the Boleto payment data on the client machine.

Web Injects

The recent Boleto payment system malware announcements have primarily been focused on one specific family of Boleto malware commonly referred to as Eupuds; an earlier blog from April 2013 discusses Eupuds.

Eupuds, and similar Boleto variants, modify the Boleto in the Web page (Web inject) to modify the payee fields, diverting funds to fraudster, or mule, accounts. Web injection is a standard modus operandi for advanced financial malware, also commonly used by such malware variants as Zeus, Spyeye, Citadel and most others.

DOM Manipulation

One new Boleto malware family discovered by Trusteer uses the Component Object Model (COM) interface to perform Document Object Model (DOM) manipulations on Internet Explorer browsers. This approach essentially enables the malware to access and change the internal data of targeted Web pages. The malware uses these methods to manipulate payee fields while obfuscating this manipulation to the end user. As an example, Trusteer identified and named one such variant “Domingo” [md5 d972d719aab8f4750ee0b15187dc1ad0]. This sample is currently identified as “generic” by the major AV companies and not as a “Boleto Bancário malware.”

Browser Extension Scanner

Another new Boleto Bancário malware family discovered by Trusteer adds browser extensions to Firefox and Chrome. This malware variant, which we named “Coleto,” is quite new and not yet widely utilized. This malware operates by first downloading and installing a Firefox or Chrome extension. The extension then scans the Web pages for numbers that match the pattern of a Boleto number. Once such a number is found, it substitutes it with another predefined number, thus diverting funds to a fraudster, or mule, account.

Recommendations: Effective Way to Fight Malware-Based Fraud

One of the recommendations provided in the RSA report is to use mobile banking applications since they are immune to this malware — for now. We agree that this approach will work “for now,” but for how long? And at what cost?

We expect that the cyber criminals will develop techniques to commit fraud via mobile devices, especially if the PC attack vector becomes less lucrative. Forcing customers to perform transactions via the mobile channel is not considered exemplary customer service; customers should be allowed to transact in the channel most convenient for them. Most of the recommendations provided put far too much onus on the bank customer to recognize when a fraud attempt is taking place.

Beyond the impractical end user recommendations, the proposed solutions are mostly “post-mortem,” i.e., based on information attained after the company accesses known command and control (C&C) servers. This approach is far from real-time, occurring after significant fraudulent transactions have been conducted.

The most effective way to fight malware-based fraud is at the point of attack: the customer’s device. If malware is not identified and prevented from operating on the customer’s device, all subsequent fraud prevention methods (such as authentication and anomaly detection) can be easily tricked and bypassed by the malware. By focusing on detecting and preventing the root cause of most financial fraud — malware — Trusteer solutions can, in turn, prevent fraudulent transactions from being created before they enter the payments system.

The report goes on to mention that Boleto payment system malware can successfully circumvent client-side security plug-ins that hook into the user’s browser. As the leading provider of client-side malware protection to the world’s leading financial institutions, we can definitively state that this has not happened for Trusteer products. In fact, Trusteer has been effectively fighting Boleto malware for well over a year now, successfully protecting our Brazilian bank clients from Boleto-related malware attacks.

We recommend focusing on the root cause of fraud and winning the battle at that point. In this case, it is the three variants of Boleto Bancário malware that each utilize a different attack vector — with possibly more variants to come. Trusteer now protects over 1.6 million banking customers in Brazil from Boleto malware and all other forms of dangerous financial malware. Trusteer defenses are effective, adaptable and continually updated to successfully combat the ever-changing malware threat facing financial institutions across the globe.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…