Brazil loses well over $8 billion a year to Internet crime, which happens to be the No. 1 economic crime in the country. For some perspective on that statistic, cybercrime is ranked fourth in rest of the world. With about 54 percent of Brazil’s 200 million citizens already using the Internet, there are lots of potential victims to go around, turning cybercrime into lucrative business. It’s not surprising then that Brazil is the second-largest cybercrime generator in the world, ranking No. 1 in Latin America and the Caribbean as both a source and target of online attacks. With new variations of malware emerging more often than any other region, Brazil’s got malware!

The Pezão Malware: Unique for Brazil

Brazilian malware is the malice of choice in 68 percent of all cyberattacks in the country. Local malicious code is known for a number of typical traits, but most of all for being programmed in Delphi — a rather simplistic approach to create rather simplistic Trojans. Because of that, Brazil has hardly any defined malware families, in the classic sense, with each iteration but a minor customization of something that was used many times before.

But this was not the case with a newcomer dubbed Pezão. This simple Trojan has kept the common Brazilian M.O. but refreshed the coding by using dot NET programming instead of Delphi. It’s quite interesting to see a new face in the region.

Pezão is an overlay type Trojan, discovered in the wild in early May 2015. It uniquely targets online banking customers in Brazil. Overlay malware forces users to close the browser window they were using and makes them use a browser it can better control — which in this case is Internet Explorer (IE) — under the guise of a security requirement from the bank.

Typical Overlay Flow

In order to steal credentials and token codes, the Pezão Trojan shuts down the user’s window and opens as a full-screen IE window on the desktop. It then manipulates the view of the genuine bank’s page by using sticking “overlay” images on top of the browser window.

The victims, who are tricked into believing they are on a legitimate page, enter their credentials and fresh token codes into the fake window, unknowingly sharing them with fraudsters.

Beyond collecting bank login credentials, attackers take a succession of screen captures of the victims’ activity. This could be a way to bypass virtual on-screen keyboards, collecting passwords that are clicked on-screen. The criminals then use the information to log in to bank accounts and perform fraudulent transactions.

Overlay malware is already rampant in Brazil, but it appears that malware authors in the area are stepping up their coding capabilities and using more malware variants to run a smoother operation. So how is Pezão different from anything else our researchers are seeing in Brazil at this time? There are a few notable points that show things are evolving.

Slimmed-Down EXE

The first notable evolution in the case of the Pezão Trojan is that it is not coded in Delphi. The overlay malware written in Delphi include numerous images to mimic the look and feel of each bank they target. As such, malware files containing these elements weigh up to 15 MB, making them bulky and easier to detect upon download to the computer.

Pezão is coded in .NET, a modern, more advanced programming language. The new .NET genetics lend Pezão the ability to compile an executable, with all the images it needs, in a slim file that can weigh as little as 71 KB.

Talk to the Database

In quite an unusual manner, Pezão writes stolen data and even images directly into a database. Stolen passwords are written in cleartext, while stolen images are saved in hex code.

If we look at Trojans like Zeus, they all communicate with a command-and-control (C&C) server via PHP scripts or a Web page. When data is stolen from a compromised machine, it is PHP code that writes it to a database of the attacker’s choice. However, Pezão doesn’t use a C&C server: The malware steals data and collects image files from screen captures and then, instead of sending them to a C&C server, writes everything directly into a database. Images are written into the database in hex code.

The malware communicates over Tabular Data Stream (TDS), which is an application layer protocol used for transferring data between a database server and a client. Using a database in place of a C&C is not used by sophisticated malware, but when it is seen in the wild it’s almost unfailingly in Brazil.

Generic Theft From Chrome and Outlook

Pezão is a rather generic malware in terms of what it steals from the victim. Instead of the more advanced way of hooking the browser and stealing form requests on the fly, the malware installs a Google Chrome plugin designed to steal all saved username and password combinations. If the victim uses another browser, this plugin is useless. The data stolen from Chrome is stored in cleartext in the attacker’s database.

Another generic theft from Pezão is the grabbing of the victim’s Outlook username, password (SMTP credentials) and contact list. This is typically used for malware spam thereafter.

Something Vintage? Hard-Code Everything

Pezão’s authors do keep things simple. They use one file to have their malware do all the work, including configuration, images and even the password to the database.

If we take modern-day malware like Zeus or Dyre as examples, we would see they save their configuration files somewhere on the infected machine and call on them from that location when needed. They can thus update them and have them call on remote content that can be kept hidden from outsiders.

Pezão does things the vintage way. Of course, this makes it easier to reveal all of its tricks, which is why these old-fashioned methods are almost never seen anymore — except in Brazil.

Launch IE and Overlays

To force the launch of IE, Pezão monitors the explorer.exe process for browser windows. As soon as one is opened, it convinces the user into authorizing the use of “another browser” for supposed security purposes.

Clicking OK opens IE in full screen.

Since it looks for any open browser windows, Pezão affects all browsers. Once the IE instance is launched, victims typically try to access their bank’s website again.

It is at that point that they begin seeing stick-on or overlay images with social engineering messages about “securing their account”:

Pezão’s social engineering screens inform victims that they need to have their security updated — the most common ploy used by malware of all grades.

Another example of a stored image used by Pezão is shown below, claiming to “install an additional security module”:

After the initial social engineering bit, Pezão goes on to ask the victim for a token code, adapting the request’s look and content to the targeted bank. This part also uses the stored images Pezão comes with.

The first line below asks victims to enter their account password:

The second image asks the victim to enter a generated token, sometimes supplemented with a request for date of birth or a six-digit password that should be submitted from a token card:

Getting Out There

How prolific is Pezão? It seems that it is doing quite well, infecting close to 800 unique machines within two days. Pezão’s operators are conducting a local campaign, bringing the malware to unsuspecting victims through email spam. It joins the diverse pool of local cyberthreats that make up 95 percent of malware active in Brazil, according to IBM Security Trusteer.

How can banks protect customers from Pezão’s tricks? By having customers install security software that can block the installation of the malware, as well as actions like screen capturing or forced full-screen view, Pezão and malware like it can be paralyzed.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…