GF - The Telenovela of Latin America Banking Trojans: A Dramatic Story of Cybercrime

good afternoon everyone and welcome to bides Las Vegas uh this talk is about the telen noola of Latin America banking trins a dramatic story of cyber crime and here we have sabelli who's going to present the talk um a few announcements before we begin uh we would like to thank our sponsor especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud blue cat toota it's with their support along with other sponsors donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speakers and audience we ask you to check to make sure that your cell phones are on silent mode if you have any questions please use the audience

microphone so that YouTube can hear you as well and with that let's get started please welcome sell hey everyone thank you for waiting my little technical problems you know happens all the time actually uh first I know I didn't work in us so my English not perfect but just okay if you don't understand just raise your hands oh let it go if I say some weird words please you can correct me I don't care really sometimes it's good to learn and that's it uh someone here knows something about uh banking Tre from Latin America a little bit okay if you're not that's okay um so it's about uh telen Nolla because Latin America is very know about

telen noas and they are very dramatic and also as our cyber criminals for this this name so who I am I'm I used to say I'm a mix of um Gossip Girl from Marland with fortun for fortun teller fortune teller because I work with cyber threat intelligence so I have to know everything what's going on in Marland and all the disgraces and try to see oh what's going on in the future basically this is what I do and and for over 10 years I've been work especially with cyber security and privacy in Brazil and some organizations in Brazil all around the world like Mozilla and our project basically this is what I do right now work with I'm a

glassical this is a real picture of me in Mexico and not from Mexico but in Mexico and de los muos so I like it so this is me and I have cats I love cats as you said before and I love theu because I almost vegan not all because I love chocolate it's hard you know this you know that and I like spr sprinkling water sparkling water and basically this so what we going to talk see I have many gifts it's super cool thank you and what we going to talk about the what are we talk about the board of Brazilian cyber cream I not talk about all the Latin America you know thread landscape because I don't

know I it's quite simp similar so we you understand if you understand that Brazilian was is kind of similar than the rest of Latin America and about the common Futures about of this mowers and banking troen families and what's next or why this happen or let's see if it's possible to stop then or no no no is is impossible even this very peculiar you know MERS so let's talk about you know oh back back back back uh well right now in times of AI we have like think like sh GPT or similar sh GP riding mowers and you know can you believe if I tell you if most of banking troan mowers in Brazil and Latin America is to desktop

they work in desktop much more they write this kind of more more to desktop than to um smartphones because yeah it's easier you know to bypass some security and desktop especially for people not so saving cyber security or whatever and for other people and I'm going to talk about this specific issue but from the Strategic cyber threat intelligence I not a our analyst so please don't ask super hard questions cuz I can't say I can't answer but but from a strategic point of view I can do this uh but what what is a strategic point of view it's basically this um I see everything what's going on for this gossip go from our lands not just one

tree I see the whole Forest you know all the disgraces you know in you know disgrace that's going on in mland is a very sweet name I gave for this what happened in cyber crime I think skuter and I talk about more general not just one specific you know thing sorry sometimes I forget the words in English and I know much more words in Portuguese than English so sometimes lack some words sorry but you can help me please you can oh these words you want to say please so um the born of Brazilian cyber crime well first I must be been thinking what why I talk about mowers in desktop not in mobiles well as incredible it may

seem this they are widely using then make to make Bank rosion you know really really widely used uh everybody has a mobile you know even two three mobiles they people especially in Latino America they have many mobiles with uh with with International connection internation internet connection but not a desktop or or a computer so everybody has some kind of way to be connected but some taxes I we have to pay in desktop only desktop I don't know why it's weird or you go to the bank so they people do they pay in the in the desktop especially companies you know small companies they have to pay this government tax is there so this is a big surface you know your attack

really big so Bank Treasures are developed for desktop because it's a little bit less complicated than to desktop to mobile because mobile you have to say oh please uh accept accessibility you know you have to unlock accessibility for have to click click click click people say oh do I yeah people sometimes are dumb and they accept but and the computer in desktops easier you know just okay happens is there and that's it so uh of course we have many many many mowers that attacks uh smartphone especially and droids like for example I love these names it's so unique zuman am AMU zenis they are really weird names but fun and this last one zenes they

attack all Latin America except Brazil no wasn't me who write this because I can't do this but it's a very cool name so uh Brazilian thread Escape in cyber crime let's talk talk about a bit about history I have a bachelor degree in history so you you'll learn about history of Brazilian cyber crime when internet you know commercial internet start like night middle of 90s you know people used to uh Brazilian underground race you know born and until like 2,000 people this forums kind of forums not like for or other forums they talk only in IRC I think everybody remember you know you're talking IRC no very simple very not so friendly user not so many

gifts or emojis or images so everybody was there and talking and talking um and then okay uh that what that was a place to learn people was learning how to how to you know in cyber security because that back that time is Frameworks I don't know if exist some or was very expensive or I don't know and you have to learn to speak in English come on we are from Latin America it's not our language we I speak Portuguese not even Spanish I can speak Spanish but the rest of Latin America speak Spanish and everybody knows is are very poor countries mostly so not everyone can speak English because expensive now it's easy we have YouTube but before now you

have to pay like a teacher to learn so was few people was there oh let's learn you know and was a exchange learn exchange and Financial Risk start to be very low you know Financial return was high and risk are low basically is this when everything starts I don't know how to compare here in us I have no idea because I never live here so I don't know this is but basically the eer the emergency of Brazilian underground starts in mid of 90s until early 2000 IRC limit limited resources to know to learn knowledge exchange to cyber crime any platform can be considered a forum in Brazil it's not like a bridge Forum or any this forums you know you have to

be invited or you have to pay to be there and oh come on I selling some Bank compromises uh credentials or mowers or something as a service no in Brazil no everything is can be a platform like WhatsApp or Facebook or t especially if telegram um given this resource limitation we had back time uh the think how we learn how like to attack something from the fac M yeah it's easy it's not that wow super Hawker but they want to know how you do this so the facman was considered a learning experience you know in absence of these Frameworks however you know to educational purpose like educational this became a cyber crime was just a stun St away what Super

H so it's easy to do this maybe maybe not and these guys start usually guys I know I'm a woman but usually was guys one or two women or not on women start say oh I have some a massive credit card numbers here because I don't know here please let me know um companies say oh I will send a credit card I but I didn't ask but yes I send you I don't know this happens in us or happened just sending you but what happened oh the mail men say oh you keep this or keep that or the person received that oh I yeah discard you know so it's easy or someone robber you know the male man so they have a

huge you know numbers of credit cards and sell and spend in the name of the other so easy and then besides carding we have um what what else uh so this discussions also was organized by topic well today we organized like selling or buying or something like this is very organized back then no so the cyber crime SE migrate to IRC to orot do you remember orot yes it's like the grandpa of Facebook or Grandpa of Instagram they went to then migr you then and start to selling products and hacking services and then they headed to Facebook groups they close at once and then the thust among this criminals shaking you know because some information start to leak

this conversations and this fraud fraud sorry frauders yeah frauders okay say I'm not liking this so what happened so unlike the Russians or the Brazilian people and Latino American General you cyber crime not don't use underground underground uh forums they use like surface forums it's not a pH at all it's WhatsApp come on so easy Facebook sometimes Instagram no so that's it what where it's easier we go we know I don't that people go so bra and Brazilian cyber crimes are very quite nationalist they operate much more in Brazil in our territory or even La Latin Latin American people operate in their country then abroad some ex exceptions of course because for this I talk about distrs they are spreading all

around the world and they don't they are not afraid to change their te tpce because oh it's not working okay let's change let's change here let's change there where money is easy they are going so sorry I'm kind of you know nervous so I mixing things everybody's okay what what I saying it's okay okay please if it's weird say please B stop say again thank you thank you thank you well some common features uh among Latin Latin American MERS first Latin America is huge it's not just one country I don't know some American people don't know this but we have like 20 countries 14 territories including Mexico central Mexico here next us Central America South America and

Caribbean so we have a lot of countries and Brazil is the only one who speaks Portuguese the area different I know good so our country are different than others when we read some reports wrote wrot wrote by someone from North Global Norths are very biased you know things like everybody's the same like Peru is like Mexico or everyone is Mexican is no complete different cultures complete different everything even the way they talk are different you know super different but um something we have in common we don't post uh a APS you know we don't have APS in Latin America so far because no there is no reason for this so for this uh or environment is very

unique for this kind of mowers Bank mowers or some kind of frauds because the Cyber criminal are very persistent we have uh drug cartels you know uh recruiting people you know young people to work with cyber criminal because come on if I not selling drugs a Brads hard how we can get money so we are recruiting people in Brazil we have large gangs you know criminal gangs that are recruiting you know oh I think you you can you work with computers because it's always someone who works with computers they don't know what they do but is a computer person so they recting them it's weird so please sorry people who Bor in US Latin America is out

this well some more attributes uh even with this different social um difference Among Us uh something are very common like some our attributes uh they try to reach the larger number of victims everyone everywhere we don't not just a specific one or one bank or one person just wow you know what I forgot the word English okay whatever but the quality of the mowers is not so good you know it's just okay thank God they speak very loud now it's better come on people why did they say before oh then okay the mow the mowers you know written in Latino America is not wow what a mow it's just they work this is the thing

they work this is very important just work they reach lot a big number of victimas and The Operators use the full potential of the mowers not just I use this time and yeah discarded no they use it again and again and again uh if it's working that's good it not working yeah okay we try we can modify a little bit just a little bit you know it's not like this um more more a service you know you buy in the Shelf M uh okay sorry again nervous forgetting words but please if you're not understand following my what I'm thinking please please let me know you know so the operators use the more to for its full potential and when it's not

running out capabilities they just make some minor technical adjustment just enough to keep you running this is very very very common in Latin America mostly are writing in dely even old you know old um not the new version of Del but old ones uh was a lot of social engineering because sometimes it's easy so just click here oh you get some something for free I do this I like free things so I you give this so click okay I if I do this can you picture my mom or someone that whatever so they do this and the thing is with social engineering is persuade someone to do something well I think everybody know know here know

how it works so to trick people is kind of easy you know especially with free things or free money like this bets you know oh you can try here and get trip off money you can get your bet like $1 and get 10,000 it's super easy to trick people and um what else they use um they uh they make a popup showing the screen you know to to the data it's a fake popup you know it's overlay screen so the people oh what's this I have to put my credentials here okay but it's fake even if the mouse don't don't move they use this and they use a lot of V even try um in the motto to to do this you know

to trick people usually is like oh we have update oh you have to update your computer right now you have update your uh Bank platform right now it's very important everything is super urgent oh it has to be now now and people inser their credentials they credit card numbers and passwords and everything uh with this popup screen they to data anyway this is very regular but this is the the thing what happened in Latin America not not much different than this because they it's not lazy but uh why do I have to work so much if I can get money just doing this the simple thing I can and then they write multiple VAR variant how can I pronounce this

variant okay cool with minor modifications you know see they are developed simultaneously you not just one try one I develop one and sell and then it's not working I try again no they develop many many lots and that's it and threat actors disseminate this very all around and this is very effective basically you know the the flow shot or a chain attack like this like collect information about the machine you know send notification it's can active windows and if found a Target window okay let's go if not oh let's come back and then the communication with the commander uh with CC and display fake popup Windows this is the base of Latino American TR Works

basically are this and something very very interesting more families share many many functions like Gro OAB as I say it's very funny names even for me this doesn't mean anything this words it's just words Grand OAB every uh who found out this every company give a name so this lots of name uh like for example oaba dist threat often abuse cloud services to download the second stage of payload and and Google docs to retrieve the C2 configuration and another one kasano they deliver a m loader call it B loader and a r that the name is very good AKA a Maria it's like praying a Maria you know that's very Catholic praying and for example through the M execution they use

algorithms to decrypt you know this strings but these algorithm algorithms for the ximo strings and use a chain of chore operation you know this key to previous bite of the string this happens and where they come from this book someone wrote this book and this this family is just copy and paste to use see it's in everywhere yeah it's funny right you are laugh it's funny but works a lot really really works since stupid what works this is the point of my my talk you know this works basically they do the same they are different but are the same you know it's this don't don't think I like oh or or cyber criminals are bad no they are

super cool but they don't need to work too much to get money just yeah let's do it um I don't know if you are some people are aware of mafala you know is a comic book you know this little girl super cute little girl of course she not talk about droppers originally but it's like the mowers as a service you know of the Shelf mowers oh I want you a dropper a bank Trojan and this and that and another two and that and some okay this is for you so it's very common you know to attract actors to buy this kind of mowers AKA mowers as a Services something as a Services a big business

right now and adjusted to execute it for example emotet is everyone knows emotet is huge is big and even Homeland Department classified as the most devasting mower because they have this warmable feature so it's bad but um that's it they buy and use as a cute but here sorry Gringos is not happen in you know Latin America because every little thing you say oh it is not work H I'm not working this anymore I buy a new one but not us not we change everything you know little adjustment as I said before and let's try again and again and again it's like you know your old clothes you give for your younger siblings and then the other siblings and

to cin to the cousins you know and that turn a wreck and this anable is the same with our mowers basically is this so let's go to the more uh technical part let America Bank inrs collect information about the victim's machine this usually consist of computer name username unique identifier and indications whether the security or banking protection software are installed you know uh the persistent usually true Windows registry now um but they don't use much you know the person stage it's they use but it's not it's rare you know it's not so why why we can go jump you know but the evasion uh part you know they use a lot of low Bings defense evasion and you can check the

low Bing uh lobus project you know to see how they can use the low beans in different ways very creative ways so you can check there and this technique d d side loading they use a lot this is the most used think um well they capture um credentials data super in the browser uh as misu they families I will talk about later they capture browser Cooks this is very specific for this mowers and the spring overlay this was taken you know from one of our uh the guy I used to work he's a m analyst not me he took this this print you know the real campaign that was running this overlay screen so the the

Cyber criminal is trying to you know lure this guy and the final infection of chain the M mentioned all the mentions here they place this overlay screen this is the thing they do you know the Cyber criminal didn't have this access remote access to the computer in order to perform Bank trans transactions and this overlay prevents the user to see or to touch in anything else you know that's it you know they just can see this picture they can change other screen or move the mouse or something like this they lose all the control of the computer now some Latino America Bank inrs yes they are weird like this family very nice family so let's dive a little

bit into some other families okay kasano this word doesn't mean anything at all at all this is this the disinfection it's infection chain no it starts with usually with um email you know to they send a URL malicious can you read this or choose more I oh good you can read for everybody please I can read from here this I'm not using my glasses please can you do this help us oh it's in Portuguese sorry no you can't sorry okay but uh with the this you know you can picture what how it works right or no can I explain yeah what yeah I understand oh yes please explain everything wow wow I don't know what

happened here but it's yellow my the letters here I can't read in yellow because it's with white um the t account from you know financial institutions even cryptocurrencies as well and they screen the same as explained before what they do this mowers is AOS skate code encrypted uh strings and anti-analysis protection like anti-vm and anti- debugger functions uh they have this malicious dll indicating the intrusion institution Target you know oh now I see what's the intitution so they the threats are encrypted in a custom algorithm to by used by Latino American Trojans they do what the mowers do you know nothing different and they one thing different in this fam is that they can monitor

Bitcoin wallet they copy to the wallet and they replace with their addresses so they can do AME okay now miss Padu Miss Padu has been linked for with many spun C campaigns targeted especially Bolivia Chile Mexico Peru and Portugal one m strategies is to compromise legitimate website searching for vulnerable versions especially from WordPress to turn them into their C2 to spread the M from there so cool nice they try to Future this uh F out by country to to the country they wish you know to attack they dropping different types of M by based in the country they are infected so in Brazil it's one and it's the same but different as I said before but

um they use here the infection chain oh sorry this is in Portuguese is real but sorry I I forgot to translate but is this if someone would would like to read a l see you can speak in Spanish as well please so miss p is a multistage infection strates because they split the malicious techniques into two different components makes it harder to detect super hard because was they split and then the adversary hide the more inside a fake certification so it's harder to detect and they misuse se2 you know because it's a window legitimate windows program and then they they code and zuted the bank intrusion so one of the come companies they run in 2019 in especially in Chile

to distribute uh this m to Facebook ads was that's like faking uh McDonald's you know discounts happens a lot so many many many many people you know fault into this mow and some well a important feature of this mow process the because the troan and the command and control server has not changed since the first attacks even though it works not changed you know the the C2 but it's still running um most recent Rec this lovely family backed by unpopular demand that they try to uh was indentify 20 different different campaigns like from last uh film end of 2022 to now uh folks from metabase Q from Mexico identify these campaigns they using like banking TRS spend all

around maku maku is a very interesting very active in Brazil there a very long infection chain really really really long this is very simplified you can find this um that is in English this is in English actually because I I when I wrote this report for the previous company of work was in English so now you can see no sorry it's in Portuguese again sorry oh my God I read some like fishing orl but can you understand can you understand yes no yeah kind of cool

what's so very active in Brazil Chile Peru and Mexico uh starting 20 2020 uh start to Target now like three years ago they start to Target countries in Europe and Spain Italy Portugal um the the family us custom encryption they abuse low beans as well and they use a lot of this technique name it binary padding super cool lots of [ __ ] inside that you know so it's hard and they use scheduled tasks to start infection infection stage as well and it's cute a specific file you know but never never never use persistent this is this is very unique you know very long um infection chain don't use use persistent because it's rare but happens

a lot and they uh they ttps very long list of ttps maacho um this this schedule test to stting infection stage in the next minute they executed a specific file and that's it super cool and aot this is my favorite because he everything is automated there now they just automate everything um the the process is automated unlike the other mowers they use many hum human parts so humans uh can fail but Auto if you automate it it's more difficult to do this so it's fishing they send May fishing is unique unique compilation of M so this is basically almost impossible to detect them by rash and difficult to create y AA y I say in English y y ru

because each email is different so they spend like a million emails per day it's a lot of mail you know all their structure is is based on cloth and they they have their own demands even the third party Services they they have they protect against the Dos attack so very hard to remove this guy so this is more mod M we have asot and come on one million Spence per day is a lot they campaigns are massive very generic you know they campaigns like oh click here to access your Google drive or do sign or something like this the infection chain is easier again in English sorry guys so so sorry but if you want I can

translate for you and send sorry um maybe it's easy uh this more exploits uh website funeral Ro to cross-site scripting you know attacks and deliver to deliver the initial payloads and then here like uh the ficient is very yes I know this is in Portuguese I know because this is the campaign is in Portuguese but you can see you know doc sign uh download your download your document here this and that they link the vitment like Google Drive sign blah blah blah and something very very cool they are very hungry they two website sessions I love this one the cooking monsters and and now what so as I say they are very simple super simple but

work a lot and why this more works because uh the thread landscape in Latino America and in Brazil they uh is very specific we have spite everybody is connected to Internet they are not so savy in how to protect protect themselves I know here as well like in us I know this but people oh it's a weird link okay let me click uh I want to download a game or a VPN they do this a lot because in Brazil or in Latin America it's super expensive you know for example to buy $1 doll I spend five R so everything's super expensive what the people do they crack they just download you know they are pirates for

this is this MERS happens mostly you know oh let me find some trick to my game and happens a lot uh softwares vpns and they go to W's place like what's this oh this look like x video but it's like XX video oh I go there so it's super easy to download these MERS and but in the other hand the adversaries they are kind of lazy not lazy but okay I can do this with a little effort and they have a a limited patient you know they just just deliver you know the threat and change a little and modify a little as I said before like for to older sibling to younger to the cousin to blah blah blah

blah blah and there a lot of social engineer but these guys don't have very uh hard technical skills they are super shallow you know really shallow they buy it and motify a little but and they not even think about their UPS SEC so it's easy to to spot them so why they are not in jail because mostly in Latin America they this kind of guys don't go to jail we are trying this very hard you know for this we have jobs forever cyber security people and Brazil right now is they signed this Budapest convention that means uh International cooperation among the countries everywhere so it be easier to rest these guys but even if they are ARR they we are other ones will

show up and again and again lot of problems and well last year the kaspar threat report said that Brazil generate about 60% of all MERS in the world and the Latin America it's a lot of MERS followed by Mexico and then Peru it's a lot of M we produce we are I'm not of you know it's not a very good title I know but thanks for this I have job forever this is good and then I can afford to come here to say to talk for you about this hopefully next year I'll be less nervous and my English a little bit better I promise you my English better than this but I'm a little bit

nervous and then that's how folks but wait wait the best part I did please there's a music like uh succession music hold on hold on and that's it thank you someone have a question yes would like to talk that loud for everybody if it's basically okay hello if it's basically the same malware why isus they just happened you know just happen it's not the same it's a little bit different you know they have different names you know they target different countries you know as I say if it's working it's working when stop to work they modify a little bit for this they keep in going and running and running just for this don't don't need

to start from scratch you know they just reuse this a lot for this works and cheaper than buy any one yeah someone

else I know you said yo yo ler louer I know you can speak louder I know you said the uh the uh the desktop attack was the most common one yeah I'm curious to know what's generally speaking what's the uh most common um software that they're using on on their desktops is it like Windows well worldwide is Windows because it's cheaper you can crack this you can download like for free so H there is of course there are mowers to Mac to to Linux we know this but it's a little bit rare because not everybody use everybody uses windows I have to use Windows sometimes but I okay I have some Protections in my computer and I use

Mech as you see so and I don't use bank here yeah yeah I am Bulletproof Pro baby no just kidding it mostly Windows 10 Windows 7 no even the new windows you know because yes because everybody use Windows most people use like Android phones because it's cheaper than iOS so there's much more more to Android than to iOS or xiaom me or other brands just uh just this that's easy I think it's working now thank you for try to speak in Portuguese thank you a lot um my question is a lot of the families you went over you mentioned they had European targets too so in your opinion are these Brazilian operators selling the malare overseas or

are they just reaching targets because they have similar language like the victims speak similar languages what's your opinion both actually both some cells uh sometimes we don't know which one is it's hard to you know to spot the exactly person we know the families because the ttps are similar but we don't know who is you know behind the smallers so they sell and of course if the language is similar like to Portugal or to Spain is easier or even Italy is not the same language but Latin languages is easier you know but some mowers are targeting like UK for example they sell and they well I don't know it's if because there's they sell and they it's kind of

easy you know some Bank protection besides everything I said we have very good Protections in Bank in Brazil you know one of the first intern bankingsales

but of course there are fails holes there but but abroad uh especially in the UK here I don't know I don't have have this Vision in us but in in Europe is they have a lot of fails so for this and because it's is is there why not kidding you're welcome someone else that's it one two okay so how effective is Latin American law enforcements um can you repeat laer how effective are Latin American police and finding some of these well we have a very good police trying to you know to find this cyber criminals of course and everywhere but uh our cyber crime policies is not that good it's good it's just okay not good enough but there are

a lot of people working against like me for my folks here from Brazil or Latin America we are Tred hard to but when you arrest some cyber criminal is not so easy in everywhere in the world we see like a large handware groups being arrested because it's handware you know a lot of people a lot of big companies lost money and then it's they really try to catch these guys but not the mowers you know it's very specific but yeah they are good not the best well but they are good they're not so and not diminishing diminishing is a word or Brazil or Latino America oh I'm very proud that you know where I live and the the police

of that try to cast this bad guys and the cyber security we are very good okay really good but yeah they good but like in everywhere else sometimes it's hard to detect you're welcome oh I have chased stop now but if you have another further questions please you can reach me here I didn't put as you see a c code because no one you SC but I promise I can explain better with less pressure what I did I know sometimes it's hard to understand what I say because I was nervous but please reach me out or I'll be around here and Devcon and black hat and around if you want to ask something and say my head is beautiful right now I

appreciate thank you guys thank you very [Applause] much