Advanced Banking Trojan GoPix Targets Brazilian Financial Sector
GoPix, an advanced persistent threat identified by Kaspersky, is actively targeting customers of Brazilian financial institutions and cryptocurrency users. This sophisticated malware uses memory-only implants and obfuscated PowerShell scripts to execute man-in-the-middle attacks and steal sensitive data, leveraging malvertising techniques to compromise its victims.
GoPix’s infection methodology begins with malvertising campaigns that lure users to fake landing pages. Once a potential victim accesses one of these pages, the malware uses legitimate anti-fraud services to determine whether they are a target or a bot. If deemed a target, the victim is served a malicious installer, which can vary based on certain environmental checks, such as the presence of security software like Avast. This dynamic delivery method illustrates a notable escalation in targeting techniques, as the Trojan evolves by altering its deployment to avoid detection mechanisms utilized by security tools.
Defensive Context
Organizations within the Brazilian financial sector, particularly those offering online banking services, should be acutely aware of the GoPix threat. The sophisticated nature of the attacks, including the use of legitimate services for target validation and the ability to execute commands without leaving significant traces on disk, makes detection and response efforts particularly challenging. Companies with clients who utilize popular payment methods in Brazil, such as Pix and Boleto, are at higher risk due to GoPix’s clipboard manipulation tactics.
Why This Matters
This threat poses a tangible risk to financial institutions and their customers in Brazil, potentially leading to significant financial losses through theft or fraudulent transactions. Entities relying on online transaction methods are particularly vulnerable, as GoPix’s capabilities are tailored to capture and manipulate transaction information actively.
Defender Considerations
Organizations should prioritize understanding how GoPix identifies and selects victims. Detection opportunities might arise from monitoring for suspicious connections involving known malicious URLs and analyzing network traffic for signs of man-in-the-middle attack patterns. Identifying anomalies in transaction behaviors and ensuring that any software signed by potentially stolen certificates is treated with skepticism may also aid in mitigating risks associated with this threat.
Indicators of Compromise (IOCs)
Malicious Files:
- NSIS Installer:
EB0B4E35A2BA442821E28D617DD2DAA2 - ZIP Archive with LNK File:
C64AE7C50394799CE02E97288A12FFF - Malware Dropper:
D3A17CB4CDBA724A0021F5076B33A103 - Main Payload:
28C314ACC587F1EA5C5666E935DB716C
- NSIS Installer:
Malicious Certificate Thumbprints:
f110d0bd7f3bd1c7b276dc78154dd21eef9533841b1f85b68e6c9fde709d975a186185c94c0faa51
Command and Control Domain:
paletolife.com
The combination of GoPix’s evolving capabilities and the sophisticated tactics employed for initial infection and persistence warrants immediate attention from the cybersecurity community focusing on threats to financial institutions.
