Maybe you don’t know this, but many guys here in the lab can tell you where a banking Trojan is from just taking a look at it for a few seconds. There are a number of different banking Trojan families, but it’s really easy -once you have analyzed thousands of them- to group them by origin. In the case of the Brazilian ones, there are a number of tips that can be used:

– Size of the file (yeah, I know this is pretty basic but the size of those Trojans is way bigger than the average)
– Programming language (Delphi)
– Text strings (usually Brazilian or South American banks)

And I’m only talking about the binary file. If we take a look at the distribution methods, we can obtain more leads. Unlike the rest of the world, these Brazilian cybercriminals don’t use infection kits (MPack, etc.) but only social engineering techniques, which seems to be good enough for them. One of the latest cases we have seen was using the current president of Brazil, Dilma Rousseff, as bait. They usually spread the malware via e-mail in spam messages, or in Internet forums and social networks:

In this case the downladed file is the Trojan Nabload.DUF. Taking a look at the server where the file is hosted, we were able to find one folder with a different file (another Nabload):

My Brazilian Portuguese is not great but good enough to understand they are talking about Juju, Nicole and a video. But who are Nicole and Juju? Using one of Internet’s most powerful weapons, a search engine, we find out who Nicole and Juju are:

Nicole Bahls
Nicole Bahls
Juju Salimeni
Juju Salimeni












Now I know what kind of social engineering is this one ๐Ÿ˜‰

Even though the file was uploaded in April, we found some spam messages distributed in July:

Remember that we are the weakest link in security, and it doesn’t matter how many security measures we do take, there are not -yet- an antivirus for human beings ๐Ÿ˜‰