GoPIX - Malware For Brazilian PIX Payment System 2023.
As more and more Brazilians make use of PIX to facilitate money transfers, cyber criminals interest has also risen and an example of this is the GoPIX malware campaign, that has been ongoing, since December 2022.
How much do you trust Google Search?
Probably way too much...
The cyber criminals attack vector:
The attack begins when a potential victim uses Google to search for “WhatsApp web”.
These cyber criminals uses Malvertising:
Meaning that their links are placed in the ad section of the search results, so you will see them first. If you click such a link, a redirection swiftly follows, with you ending up on the malware sites landing page.
What is interesting is that these criminals have implemented the use of a fraud prevention solution, IP Quality Score, to determine whether the visitor is a real user or a bot.
If you pass, a fake WhatsApp download page will be shown and the user tricked into downloading the malware.
AVAST Antivirus will not protect you!
"Again, something interesting happens, as there are two URLs the malware can be downloaded from. Which URL is used depends on whether port 27275 is open on the user machine. This port is used by the Avast safe banking software. If this software is detected, a ZIP file is downloaded that contains an LNK file embedding an obfuscated PowerShell script that downloads the next stage. If the port is closed, this is skipped and the next stage (an NSIS installer package) is downloaded. The sole purpose of this seems to be to bypass the Avast software and make sure the malware is downloaded onto the system.
The NSIS installer package contains some PowerShell scripts, downloads additional ones and also downloads the malware (GoPIX). After decrypting the payloads and executing different shellcodes, the malware dropper is finally loaded using the sRDI (Shellcode Reflective DLL Injection) project that can be found on GitHub. The malware dropper then starts the “svchost” process in a suspended state and injects GoPIX into it." Kaspersky Labs writes.
GoPIX malware also supports substituting Bitcoin and Ethereum wallet addresses, but they are hard coded and not retrieved from the C2. GoPIX is also able to receive C2 commands, but these are only related to removing the malware from the device.
Be careful when you sync your devices, you might get more than you want.
The United States are Nº1, Brazil was listed as number five by performed Malware attacks in 2022 according to Statista. What will it look like in 2023?