Brazil loses well over $8 billion a year to Internet crime, which happens to be the No. 1 economic crime in the country. For some perspective on that statistic, cybercrime is ranked fourth in rest of the world. With about 54 percent of Brazil’s 200 million citizens already using the Internet, there are lots of potential victims to go around, turning cybercrime into lucrative business. It’s not surprising then that Brazil is the second-largest cybercrime generator in the world, ranking No. 1 in Latin America and the Caribbean as both a source and target of online attacks. With new variations of malware emerging more often than any other region, Brazil’s got malware!

The Pezão Malware: Unique for Brazil

Brazilian malware is the malice of choice in 68 percent of all cyberattacks in the country. Local malicious code is known for a number of typical traits, but most of all for being programmed in Delphi — a rather simplistic approach to create rather simplistic Trojans. Because of that, Brazil has hardly any defined malware families, in the classic sense, with each iteration but a minor customization of something that was used many times before.

But this was not the case with a newcomer dubbed Pezão. This simple Trojan has kept the common Brazilian M.O. but refreshed the coding by using dot NET programming instead of Delphi. It’s quite interesting to see a new face in the region.

Pezão is an overlay type Trojan, discovered in the wild in early May 2015. It uniquely targets online banking customers in Brazil. Overlay malware forces users to close the browser window they were using and makes them use a browser it can better control — which in this case is Internet Explorer (IE) — under the guise of a security requirement from the bank.

Typical Overlay Flow

In order to steal credentials and token codes, the Pezão Trojan shuts down the user’s window and opens as a full-screen IE window on the desktop. It then manipulates the view of the genuine bank’s page by using sticking “overlay” images on top of the browser window.

The victims, who are tricked into believing they are on a legitimate page, enter their credentials and fresh token codes into the fake window, unknowingly sharing them with fraudsters.

Beyond collecting bank login credentials, attackers take a succession of screen captures of the victims’ activity. This could be a way to bypass virtual on-screen keyboards, collecting passwords that are clicked on-screen. The criminals then use the information to log in to bank accounts and perform fraudulent transactions.

Overlay malware is already rampant in Brazil, but it appears that malware authors in the area are stepping up their coding capabilities and using more malware variants to run a smoother operation. So how is Pezão different from anything else our researchers are seeing in Brazil at this time? There are a few notable points that show things are evolving.

Slimmed-Down EXE

The first notable evolution in the case of the Pezão Trojan is that it is not coded in Delphi. The overlay malware written in Delphi include numerous images to mimic the look and feel of each bank they target. As such, malware files containing these elements weigh up to 15 MB, making them bulky and easier to detect upon download to the computer.

Pezão is coded in .NET, a modern, more advanced programming language. The new .NET genetics lend Pezão the ability to compile an executable, with all the images it needs, in a slim file that can weigh as little as 71 KB.

Talk to the Database

In quite an unusual manner, Pezão writes stolen data and even images directly into a database. Stolen passwords are written in cleartext, while stolen images are saved in hex code.

If we look at Trojans like Zeus, they all communicate with a command-and-control (C&C) server via PHP scripts or a Web page. When data is stolen from a compromised machine, it is PHP code that writes it to a database of the attacker’s choice. However, Pezão doesn’t use a C&C server: The malware steals data and collects image files from screen captures and then, instead of sending them to a C&C server, writes everything directly into a database. Images are written into the database in hex code.

The malware communicates over Tabular Data Stream (TDS), which is an application layer protocol used for transferring data between a database server and a client. Using a database in place of a C&C is not used by sophisticated malware, but when it is seen in the wild it’s almost unfailingly in Brazil.

Generic Theft From Chrome and Outlook

Pezão is a rather generic malware in terms of what it steals from the victim. Instead of the more advanced way of hooking the browser and stealing form requests on the fly, the malware installs a Google Chrome plugin designed to steal all saved username and password combinations. If the victim uses another browser, this plugin is useless. The data stolen from Chrome is stored in cleartext in the attacker’s database.

Another generic theft from Pezão is the grabbing of the victim’s Outlook username, password (SMTP credentials) and contact list. This is typically used for malware spam thereafter.

Something Vintage? Hard-Code Everything

Pezão’s authors do keep things simple. They use one file to have their malware do all the work, including configuration, images and even the password to the database.

If we take modern-day malware like Zeus or Dyre as examples, we would see they save their configuration files somewhere on the infected machine and call on them from that location when needed. They can thus update them and have them call on remote content that can be kept hidden from outsiders.

Pezão does things the vintage way. Of course, this makes it easier to reveal all of its tricks, which is why these old-fashioned methods are almost never seen anymore — except in Brazil.

Launch IE and Overlays

To force the launch of IE, Pezão monitors the explorer.exe process for browser windows. As soon as one is opened, it convinces the user into authorizing the use of “another browser” for supposed security purposes.

Clicking OK opens IE in full screen.

Since it looks for any open browser windows, Pezão affects all browsers. Once the IE instance is launched, victims typically try to access their bank’s website again.

It is at that point that they begin seeing stick-on or overlay images with social engineering messages about “securing their account”:

Pezão’s social engineering screens inform victims that they need to have their security updated — the most common ploy used by malware of all grades.

Another example of a stored image used by Pezão is shown below, claiming to “install an additional security module”:

After the initial social engineering bit, Pezão goes on to ask the victim for a token code, adapting the request’s look and content to the targeted bank. This part also uses the stored images Pezão comes with.

The first line below asks victims to enter their account password:

The second image asks the victim to enter a generated token, sometimes supplemented with a request for date of birth or a six-digit password that should be submitted from a token card:

Getting Out There

How prolific is Pezão? It seems that it is doing quite well, infecting close to 800 unique machines within two days. Pezão’s operators are conducting a local campaign, bringing the malware to unsuspecting victims through email spam. It joins the diverse pool of local cyberthreats that make up 95 percent of malware active in Brazil, according to IBM Security Trusteer.

How can banks protect customers from Pezão’s tricks? By having customers install security software that can block the installation of the malware, as well as actions like screen capturing or forced full-screen view, Pezão and malware like it can be paralyzed.

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…