Kaspersky: Brazilian cybercrime exports banking malware

bitheerani42135 · Post by **bitheerani42135** » Wed Apr 23, 2025 5:10 am

Just two months after announcing Tetrade's operations in Europe and Latin America, we confirmed the 5th family of Brazilian banking Trojans operating outside the country – Amavaldo. Thus, the internationalization of Brazilian malicious campaigns is now called Pentaedro. Another evolution occurred in the Guildma Trojan, a more active campaign that remains focused on Brazil, but now also attacks Android smartphones targeting mobile banking fraud.

Tetrade was made up of four families of banking Trojans (Guildma, Javali, Grandoreiro and Melcoz) that attack both Brazil and countries such as Portugal, Spain, Chile and Mexico. In the last poland mobile database months, we have identified an increase in the volume of attacks using these malware. To give you an idea, just one email account used to collect samples received, in one week, 1.8 million malicious messages that led to infection by one of the Tetrade families.

In the case of Guildma, we also discovered a new multiplatform version of the banking Trojan, which, in addition to installing itself on Windows devices , infects Android smartphones. This modification of the malware is distributed via phishing emails disguised as legitimate notifications or communications from companies, and its operations are currently focused on Brazil. “But it is inevitable that it will soon expand to other countries,” says Fabio Assolini, senior security analyst at Kaspersky in Brazil.

“We believe that this phase here serves to mature the campaign before it can be ‘exported’. Once on the Windows or Android device, the criminal can access the device remotely to commit internet/mobile banking fraud, or silently capture credentials (only on Windows ). The most curious thing is that the user cannot remove the Trojan by trying to delete the malicious app on the cell phone; only a security solution can do this. We hope that this will finally make people believe that smartphones also need protection like PCs,” says Assolini.

Export to Mexico
The main update in the export of Brazilian malware was the confirmation of the 5th family of banking Trojans operating outside the country. As with the other campaigns, Amavaldo began operating in Brazil in 2015, but only recently expanded to Mexico. “It is interesting to see how this campaign has developed. We have verified more than three thousand attacks from this Trojan in Mexico in our cloud protection system (Kaspersky Security Network) and we already see this malware more active outside the country than in Brazil”, reports Assolini.

“Brazil has always been among the main developers of banking Trojans. According to our detections, it is the second most attacked country by this type of threat. The Brazilian banking system is accustomed to domestic fraud, but not all banks in Latin America and Europe have the same protection technologies, which makes them vulnerable to these attacks. Therefore, it is very important that security teams have access to the latest threat intelligence reports,” advises the analyst.