Abstract
Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats.
- Sherly Abraham and InduShobha Chengalur-Smith. 2010. An overview of social engineering malware: Trends, tactics, and implications. Technology in Society 32, 3 (2010), 183--196. DOI:https://doi.org/10.1016/j.techsoc.2010.07.001Google Scholar
- Vitor Monte Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Doupe, Mario Polino, Paulo de Geus, Christofer Kruegel, and Giovanni Vigna. 2016. Going native: Using a large-scale analysis of Android apps to create a practical native-code sandboxing policy. In the Network and Distributed System Security Symposium (NDSS). Internet Society, US, Article 1, 1 page.Google Scholar
Cross Ref
- Fábio Assolini. 2015. Beaches, carnivals and cybercrime: A look inside the Brazilian underground. Retrieved May 11, 2016, from https://cdn.securelist.com/files/2015/11/KLReport_CyberUnderground_Brazil_eng.pdf.Google Scholar
- Fabio Assolini. 2015. Wave of VBE files leading to financial fraud. Retrieved May 11, 2016, from https://securelist.com/blog/incidents/71753/wave-of-vbe-files-leading-to-financial-fraud/.Google Scholar
- Fabio Assolini. 2016. Brazilian banking Trojans meet PowerShell. Retrieved August 2018 from https://securelist.com/blog/virus-watch/75831/brazilian-banking-trojans-meet-powershell/.Google Scholar
- Gabriel Negreira Barbosa and Rodrigo Rubira Branco. 2014. Prevalent characteristics in modern malware. Retrieved May 11, 2016, from http://www.kernelhacking.com/rodrigo/docs/blackhat2014-presentation.pdf.Google Scholar
- Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET’09). USENIX Association, Berkeley, CA, USA, Article 1, 1 page. Retrieved August 2018 http://dl.acm.org/citation.cfm?id=1855676.1855684. Google Scholar
Digital Library
- BlueLiv. 2019. Malware campaign targeting banks in Spain and Latin America. https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/malware-campaign-targeting-banks-in-spain-and-latin-america/.Google Scholar
- Marcus Botacin, Fabricio Ceschin, Paulo de Geus, and André Grégio. 2020. We need to talk about antiviruses: Challenges 8 pitfalls of AV evaluations. Computers 8 Security 95 (2020), 101859. DOI:https://doi.org/10.1016/j.cose.2020.101859Google Scholar
- Marcus Botacin, Anatoli Kalysch, and André Grégio. 2019. The Internet banking [in]security spiral: Past, present, and future of online banking protection mechanisms based on a Brazilian case study. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES’19). Association for Computing Machinery, New York, NY, Article 49, 10 pages. DOI:https://doi.org/10.1145/3339252.3340103 Google Scholar
Digital Library
- Marcus Felipe Botacin, Paulo Lício de Geus, and André Ricardo Abed Grégio. 2017. The other guys: Automated analysis of marginalized malware. Journal of Computer Virology and Hacking Techniques 1, 1 (2017), 1--12. DOI:https://doi.org/10.1007/s11416-017-0292-8Google Scholar
- Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. Retrieved May 11, 2016, from http://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf.Google Scholar
- Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson. 2011. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the 20th USENIX Conference on Security (SEC’11). USENIX Association, Berkeley, CA, Article 1, 1 page. http://dl.acm.org/citation.cfm?id=2028067.2028080. Google Scholar
Digital Library
- Haipeng Cai and Barbara Ryder. 2016. Understanding application behaviours for Android security: A systematic characterization. https://vtechworks.lib.vt.edu/bitstream/handle/10919/71678/cairyder_techreport.pdf.Google Scholar
- Kumar Chellapilla and Alexey Maykov. 2007. A taxonomy of JavaScript redirection spam. In Proceedings of the 3rd International Workshop on Adversarial Information Retrieval on the Web (AIRWeb’07). ACM, New York, NY, Article 1, 8 pages. DOI:https://doi.org/10.1145/1244408.1244423 Google Scholar
Digital Library
- ConvergênciaDigital. 2019. Brasil perdeu mais de R$ 80 bilhões com ataques cibernéticos em 12 meses. https://www.convergenciadigital.com.br/cgi/cgilua.exe/sys/start.htm?UserActiveTemplate=site8infoid=516238sid=18.Google Scholar
- Loic Corbasson. 2016. MS Windows LNK file parser. https://github.com/lcorbasson/lnk-parse.Google Scholar
- Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th International Conference on World Wide Web (WWW’10). ACM, New York, NY, Article 1, 10 pages. DOI:https://doi.org/10.1145/1772690.1772720 Google Scholar
Digital Library
- E. Cozzi, M. Graziano, Y. Fratantonio, and D. Balzarotti. 2018. Understanding Linux malware. In 2018 IEEE Symposium on Security and Privacy (SP’18). IEEE, 161--175. DOI:https://doi.org/10.1109/SP.2018.00054Google Scholar
Cross Ref
- CyberCureMe. 2019. Hackers use GitHub to host malware to attack victims by abusing Yandex owned legitimate ad service. https://www.cybercureme.com/hackers-use-github-to-host-malware-to-attack-victims-by-abusing-yandex-owned-legitimate-ad-service/.Google Scholar
- Andreas Dewald, Thorsten Holz, and Felix C. Freiling. 2010. ADSandbox: Sandboxing JavaScript to fight malicious websites. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC’10). ACM, New York, NY, Article 1, 6 pages. DOI:https://doi.org/10.1145/1774088.1774482 Google Scholar
Digital Library
- Diebold. 2012. Warsaw. http://www.dieboldnixdorf.com.br/warsaw.Google Scholar
- Gustavo Diniz, Robert Muggah, and Misha Glenny. 2014. Deconstructing Cyber Security in Brazil: Threats and Responses. Technical Report. Igarapé Institute.Google Scholar
- Banco do Brasil. 2013. Internet Banking - Módulo de Segurança. https://www.bb.com.br/portalbb/page22,7795,7795,0,0,1,0.bb?codigoNoticia=39455.Google Scholar
- EBanx. 2020. Banks are the main target of cyber attack attempts in Latin America. https://labs.ebanx.com/en/news/technology/banks-are-the-main-target-of-cyberattack-attempts-in-latin-america/.Google Scholar
- IG Economia. 2017. Imposto de Renda: 40 entregaram a declaraçāo. http://economia.ig.com.br/2017-04-24/imposto-renda-declaracao-incompleta.html.Google Scholar
- Manuel Egele, Engin Kirda, and Christopher Kruegel. 2009. Mitigating drive-by download attacks: Challenges and open problems. In iNetSec 2009 -- Open Research Problems in Network Security, Jan Camenisch and Dogan Kesdogan (Eds.). Springer, Berlin, 52--62.Google Scholar
- William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. 2011. A study of Android application security. In Proceedings of the 20th USENIX Conference on Security (SEC’11). USENIX Association, Berkeley, CA, Article 1, 1 page. http://dl.acm.org/citation.cfm?id=2028067.2028088. Google Scholar
Digital Library
- FEBRABAN. 2019. 2019 FEBRABAN Banking Technology Survey conducted by Deloitte. https://www2.deloitte.com/content/dam/Deloitte/br/Documents/financial-services/2019-FEBRABAN-Banking-Tecnhology-Survey.pdf.Google Scholar
- Adrienne Porter Felt, Robert W. Reeder, Hazim Almuhimedi, and Sunny Consolvo. 2014. Experimenting at scale with Google Chrome’s SSL warning. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI’14). ACM, New York, NY, Article 1, 4 page. DOI:https://doi.org/10.1145/2556288.2557292 Google Scholar
Digital Library
- foremost. 2018. foremost. http://foremost.sourceforge.net.Google Scholar
- J. Gassen and J. P. Chapman. 2014. HoneyAgent: Detecting malicious Java applets by using dynamic analysis. In 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE’14). IEEE, 109--117. DOI:https://doi.org/10.1109/MALWARE.2014.6999402Google Scholar
Cross Ref
- Sergiu Gatlan. 2019. GitHub service abused by attackers to host phishing kits. https://www.bleepingcomputer.com/news/security/github-service-abused-by-attackers-to-host-phishing-kits/.Google Scholar
- André Ricardo A. Grégio, Dario Simões Fernandes, Vitor Monte Afonso, Paulo Lício de Geus, Victor Furuse Martins, and Mario Jino. 2013. An empirical analysis of malicious Internet banking software behavior. In Proceedings of the 28th Annual ACM Symposium on Applied Computing (SAC’13). ACM, New York, NY, Article 1, 6 pages. DOI:https://doi.org/10.1145/2480362.2480704 Google Scholar
Digital Library
- Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, Article 1, 12 pages. DOI:https://doi.org/10.1145/2382196.2382283 Google Scholar
Digital Library
- Bill Hartzer. 2010. comScore report: Twitter usage exploding in Brazil, Indonesia and Venezuela. https://www.billhartzer.com/internet-usage/comscore-twitter-latin-america-usage/.Google Scholar
- Colin C. Ife, Yen Shen, Steven J. Murdoch, and Gianluca Stringhini. 2019. Waves of Malice: A Longitudinal Measurement of the Malicious File Delivery Ecosystem on the Web.Google Scholar
- Jad. 2018. Java Decompiler. https://varaneckas.com/jad/.Google Scholar
- Adrianne Jeffries. 2014. The US is switching from credit card signatures to PINs, but banks need to get on board. Retrieved August 2018 from http://www.theverge.com/2014/2/10/5397442/americans-are-finally-switching-over-to-chip-and-pin-credit-cards.Google Scholar
- Kaspersky. 2015. Overall Statistics for 2015. Retrieved May 11, 2016, from https://securelist.com/files/2015/12/KSB_2015_Statistics_FINAL_EN.pdf.Google Scholar
- Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combosquatting abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS’17). Association for Computing Machinery, New York, NY, Article 1, 18 pages. DOI:https://doi.org/10.1145/3133956.3134002 Google Scholar
Digital Library
- Joxean Koret and Elias Bachaalany. 2015. The Antivirus Hacker’s Handbook (1st ed.). Wiley Publishing. Google Scholar
Digital Library
- Ravie Lakshmanan. 2020. 4 Dangerous Brazilian banking Trojans now trying to rob users worldwide. https://thehackernews.com/2020/07/brazilian-banking-trojan.html.Google Scholar
- Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, and Christian Platzer. 2014. ANDRUBIS -- 1,000,000 apps later: A view on current Android malware behaviors. In Proceedings of the 2014 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS’14). IEEE Computer Society, Washington, DC, Article 1, 15 pages. DOI:https://doi.org/10.1109/BADGERS.2014.7 Google Scholar
Digital Library
- Mariah. 2015. Getting acquainted with LNK file structure. https://www.acquireforensics.com/blog/lnk-file-format.html.Google Scholar
- McAfee. 2015. https://securingtomorrow.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/.Google Scholar
- Juliana Mello. 2016. E-governance in Brazil. Retrieved August 2018 from http://thebrazilbusiness.com/article/e-governance-in-brazil.Google Scholar
- Fernando Mercês. 2014. CPL Malware - Malicious Control Panel Items. Retrieved May 11, 2016, from http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf.Google Scholar
- Xavier Mertens. 2018. Malware delivered via Windows Installer files. https://isc.sans.edu/diary/Malware+Delivered+via+Windows+Installer+Files/23349.Google Scholar
- Microsoft. 2013. Encode and decode a VB script. https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c.Google Scholar
- Robert Muggah and Nathan B. Thompson. Jane’s Military 8 Security Assessments Intelligence Centre. 2017. Brazil Struggles with Effective Cyber-crime Response. https://www.janes.com/images/assets/518/73518/Brazil_struggles_with_effective_cyber-crime_response.pdf.Google Scholar
- NetMarketShare. 2018. Browser Market Share. https://netmarketshare.com/browser-market-share.aspx.Google Scholar
- Netmarketshare. 2018. Operating System Market Share. https://www.netmarketshare.com/operating-system-market-share.aspx.Google Scholar
- Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, Devon Weir, Adam Soliman, Tian Lin, and Natalie Ebner. 2017. Dissecting spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI’17). ACM, New York, NY, Article 1, 13 pages. DOI:https://doi.org/10.1145/3025453.3025831 Google Scholar
Digital Library
- E. Pang. 2002. The International Political Economy of Transformation in Argentina, Brazil and Chile Since 1960. Palgrave Macmillan.Google Scholar
- peframe. 2014. peframe. https://github.com/guelfoweb/peframe.Google Scholar
- Mono Project. 2018. Mono Project. http://www.mono-project.com/.Google Scholar
- Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu. 2007. The ghost in the browser analysis of web-based malware. In Proceedings of the 1st Conference on 1st Workshop on Hot Topics in Understanding Botnets (HotBots’07). USENIX Association, Berkeley, CA, Article 1, 1 page. http://dl.acm.org/citation.cfm?id=1323128.1323132. Google Scholar
Digital Library
- Pyew. 2009. Pyew. https://github.com/joxeankoret/pyew.Google Scholar
- Zulfikar Ramzan. 2010. Phishing Attacks and Countermeasures. Springer, Berlin.Google Scholar
- Hans Rosling, Anna Rosling Rönnlund, and Ola Rosling. 2018. Factfulness: Ten Reasons We’re Wrong about the World--and Why Things are Better Than You Think. Flatiron Books.Google Scholar
- Christian Rossow, Christian Dietrich, and Herbert Bos. 2013. Large-scale analysis of malware downloaders. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’12). Springer, US, Article 1, 20 pages. DOI:https://doi.org/10.1007/978-3-642-37300-8_3 Google Scholar
Digital Library
- S. Y. Salunkhe and T. M. Pattewar. 2015. Static code analysis and detection of multiple malicious Java applets using SVM. In 2015 International Conference on Green Computing and Internet of Things (ICGCIoT’15). ACM, 1538--1542. DOI:https://doi.org/10.1109/ICGCIoT.2015.7380711 Google Scholar
Digital Library
- Marcos Sebastián, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. AVclass: A tool for massive malware labeling. In Research in Attacks, Intrusions, and Defenses, Fabian Monrose, Marc Dacier, Gregory Blanc, and Joaquin Garcia-Alfaro (Eds.). Springer International Publishing, Cham, 230--253.Google Scholar
- SecureList. 2015. The rise of .NET and Powershell malware. https://securelist.com/the-rise-of-net-and-powershell-malware/72417/.Google Scholar
- SecurityWeek. 2017. Chinese cyberspies deliver new malware via CPL files. https://www.securityweek.com/chinese-cyberspies-deliver-new-malware-cpl-files.Google Scholar
- Seg.BB. 2019. Questions about the security module. https://seg.bb.com.br/duvidas.html?question=15#en.Google Scholar
- Ed Skoudis and Lenny Zeltser. 2003. Malware: Fighting Malicious Code. Prentice Hall PTR, Upper Saddle River, NJ. Google Scholar
Digital Library
- ssdeep. 2002. ssdeep Project. http://ssdeep.sourceforge.net/.Google Scholar
- Statista. 2017. Leading countries based on number of Facebook users as of July 2018 (in millions). https://www.statista.com/statistics/268136/top-15-countries-based-on-number-of-facebook-users/.Google Scholar
- Y. Sun, G. Petracca, T. Jaeger, H. Vijayakumar, and J. Schiffman. 2015. Cloud armor: Protecting cloud commands from compromised cloud services. In 2015 IEEE 8th International Conference on Cloud Computing. IEEE, 253--260. DOI:https://doi.org/10.1109/CLOUD.2015.42 Google Scholar
Digital Library
- Benson Sy. 2017. A rising trend: How attackers are using LNK files to download malware. https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/.Google Scholar
- Symantec. 2012. Internet Security Threat Report. https://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_11_2012.en-us.pdf.Google Scholar
- Symantec. 2014. Internet Security Threat Report. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf.Google Scholar
- Symantec. 2016. Escalation of SSL-based malware. https://www.symantec.com/connect/blogs/escalation-ssl-based-malware.Google Scholar
- Dana Tamir. 2014. Rising use of malicious Java code for enterprise infiltration. https://securityintelligence.com/rising-use-malicious-java-code-enterprise-infiltration/.Google Scholar
- tcpdump. 2018. tcpdump. www.tcpdump.org.Google Scholar
- Stone Temple. 2017. Mobile vs desktop usage: Mobile grows but desktop still a big player in 2017. https://www.stonetemple.com/mobile-vs-desktop-usage-mobile-grows-but-desktop-still-a-big-player-in-2017/.Google Scholar
- Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, and Angelika Moscicki. 2017. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS’17). Association for Computing Machinery, New York, NY, Article 1, 14 pages. DOI:https://doi.org/10.1145/3133956.3134067 Google Scholar
Digital Library
- USA Today. 2017. For first time in a decade, PC sales slip below 63 million. https://www.usatoday.com/story/tech/2017/04/12/pc-shipments-dip----again/100347930/.Google Scholar
- Xabier Ugarte-Pedrero, Mariano Graziano, and Davide Balzarotti. 2019. A close look at a daily dataset of malware samples. ACM Trans. Priv. Secur. 22, 1, Article 6 (Jan. 2019), 30 pages. DOI:https://doi.org/10.1145/3291061 Google Scholar
Digital Library
- Steven Van Acker and Andrei Sabelfeld. 2016. JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript. Springer International Publishing, Cham, 32--86. DOI:https://doi.org/10.1007/978-3-319-43005-8_2Google Scholar
- Ramarathnam Venkatesan. 2010. Pattern mining for future attacks. Retrieved August 2018 from https://www.microsoft.com/en-us/research/wp-content/uploads/2010/07/mainpaper.pdf.Google Scholar
- VirusBulletin. 2012. VB100. https://www.virusbtn.com/vb100/archive/test?order=298id=2078tab=onDemand.Google Scholar
- VirusTotel. 2018. VirusTotal. http://www.virustotal.com.Google Scholar
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). IEEE Computer Society, Washington, DC, Article 1, 15 pages. DOI:https://doi.org/10.1109/SP.2012.16 Google Scholar
Digital Library
Index Terms
One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware
Recommendations
Browser function calls modeling for banking malware detection
CRISIS '12: Proceedings of the 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS)Financial service providers are moving many services on-line to reduce their costs and facilitate customers' interaction. Criminals have quickly found several ways to exploit multiple vulnerabilities to perpetrate attacks. Traditional signature based ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...






Comments