May 13, 2015 By Limor Kessem
Martin Korman
6 min read

Brazil loses well over $8 billion a year to Internet crime, which happens to be the No. 1 economic crime in the country. For some perspective on that statistic, cybercrime is ranked fourth in rest of the world. With about 54 percent of Brazil’s 200 million citizens already using the Internet, there are lots of potential victims to go around, turning cybercrime into lucrative business. It’s not surprising then that Brazil is the second-largest cybercrime generator in the world, ranking No. 1 in Latin America and the Caribbean as both a source and target of online attacks. With new variations of malware emerging more often than any other region, Brazil’s got malware!

The Pezão Malware: Unique for Brazil

Brazilian malware is the malice of choice in 68 percent of all cyberattacks in the country. Local malicious code is known for a number of typical traits, but most of all for being programmed in Delphi — a rather simplistic approach to create rather simplistic Trojans. Because of that, Brazil has hardly any defined malware families, in the classic sense, with each iteration but a minor customization of something that was used many times before.

But this was not the case with a newcomer dubbed Pezão. This simple Trojan has kept the common Brazilian M.O. but refreshed the coding by using dot NET programming instead of Delphi. It’s quite interesting to see a new face in the region.

Pezão is an overlay type Trojan, discovered in the wild in early May 2015. It uniquely targets online banking customers in Brazil. Overlay malware forces users to close the browser window they were using and makes them use a browser it can better control — which in this case is Internet Explorer (IE) — under the guise of a security requirement from the bank.

Typical Overlay Flow

In order to steal credentials and token codes, the Pezão Trojan shuts down the user’s window and opens as a full-screen IE window on the desktop. It then manipulates the view of the genuine bank’s page by using sticking “overlay” images on top of the browser window.

The victims, who are tricked into believing they are on a legitimate page, enter their credentials and fresh token codes into the fake window, unknowingly sharing them with fraudsters.

Beyond collecting bank login credentials, attackers take a succession of screen captures of the victims’ activity. This could be a way to bypass virtual on-screen keyboards, collecting passwords that are clicked on-screen. The criminals then use the information to log in to bank accounts and perform fraudulent transactions.

Overlay malware is already rampant in Brazil, but it appears that malware authors in the area are stepping up their coding capabilities and using more malware variants to run a smoother operation. So how is Pezão different from anything else our researchers are seeing in Brazil at this time? There are a few notable points that show things are evolving.

Slimmed-Down EXE

The first notable evolution in the case of the Pezão Trojan is that it is not coded in Delphi. The overlay malware written in Delphi include numerous images to mimic the look and feel of each bank they target. As such, malware files containing these elements weigh up to 15 MB, making them bulky and easier to detect upon download to the computer.

Pezão is coded in .NET, a modern, more advanced programming language. The new .NET genetics lend Pezão the ability to compile an executable, with all the images it needs, in a slim file that can weigh as little as 71 KB.

Talk to the Database

In quite an unusual manner, Pezão writes stolen data and even images directly into a database. Stolen passwords are written in cleartext, while stolen images are saved in hex code.

If we look at Trojans like Zeus, they all communicate with a command-and-control (C&C) server via PHP scripts or a Web page. When data is stolen from a compromised machine, it is PHP code that writes it to a database of the attacker’s choice. However, Pezão doesn’t use a C&C server: The malware steals data and collects image files from screen captures and then, instead of sending them to a C&C server, writes everything directly into a database. Images are written into the database in hex code.

The malware communicates over Tabular Data Stream (TDS), which is an application layer protocol used for transferring data between a database server and a client. Using a database in place of a C&C is not used by sophisticated malware, but when it is seen in the wild it’s almost unfailingly in Brazil.

Generic Theft From Chrome and Outlook

Pezão is a rather generic malware in terms of what it steals from the victim. Instead of the more advanced way of hooking the browser and stealing form requests on the fly, the malware installs a Google Chrome plugin designed to steal all saved username and password combinations. If the victim uses another browser, this plugin is useless. The data stolen from Chrome is stored in cleartext in the attacker’s database.

Another generic theft from Pezão is the grabbing of the victim’s Outlook username, password (SMTP credentials) and contact list. This is typically used for malware spam thereafter.

Something Vintage? Hard-Code Everything

Pezão’s authors do keep things simple. They use one file to have their malware do all the work, including configuration, images and even the password to the database.

If we take modern-day malware like Zeus or Dyre as examples, we would see they save their configuration files somewhere on the infected machine and call on them from that location when needed. They can thus update them and have them call on remote content that can be kept hidden from outsiders.

Pezão does things the vintage way. Of course, this makes it easier to reveal all of its tricks, which is why these old-fashioned methods are almost never seen anymore — except in Brazil.

Launch IE and Overlays

To force the launch of IE, Pezão monitors the explorer.exe process for browser windows. As soon as one is opened, it convinces the user into authorizing the use of “another browser” for supposed security purposes.

Clicking OK opens IE in full screen.

Since it looks for any open browser windows, Pezão affects all browsers. Once the IE instance is launched, victims typically try to access their bank’s website again.

It is at that point that they begin seeing stick-on or overlay images with social engineering messages about “securing their account”:

Pezão’s social engineering screens inform victims that they need to have their security updated — the most common ploy used by malware of all grades.

Another example of a stored image used by Pezão is shown below, claiming to “install an additional security module”:

After the initial social engineering bit, Pezão goes on to ask the victim for a token code, adapting the request’s look and content to the targeted bank. This part also uses the stored images Pezão comes with.

The first line below asks victims to enter their account password:

The second image asks the victim to enter a generated token, sometimes supplemented with a request for date of birth or a six-digit password that should be submitted from a token card:

Getting Out There

How prolific is Pezão? It seems that it is doing quite well, infecting close to 800 unique machines within two days. Pezão’s operators are conducting a local campaign, bringing the malware to unsuspecting victims through email spam. It joins the diverse pool of local cyberthreats that make up 95 percent of malware active in Brazil, according to IBM Security Trusteer.

How can banks protect customers from Pezão’s tricks? By having customers install security software that can block the installation of the malware, as well as actions like screen capturing or forced full-screen view, Pezão and malware like it can be paralyzed.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today