Crooks behind Ghimob banking trojan have ambitions far beyond Brazil, researchers say

Written by

Cybercriminals have used a new malicious software kit to target banking customers in Brazil, but harbor ambitions far beyond the Latin American country, security researchers said Monday.

The data that anti-virus company Kaspersky released shows how an enterprising group of crooks has used Brazil to fine-tune their banking trojan, as the financially-focused malware is called. After successfully infecting numerous victims in Brazil, the campaign has expanded to other Portuguese-speaking countries, from Angola to Mozambique to Portugal.

Ghimob, as the newly discovered trojan is known, has a series of features that could make it more effective than previous attempts by Brazilian malware developers to target users abroad, according to the researchers.

It is a “full-fledged spy in your pocket” that siphons off data through a number of means, Kaspersky researcher Fabio Assolini and his colleagues wrote in a blog post. It’s a fraudulent app, hosted outside of the Google Play Store, that once installed allows the attacker to swipe login credentials for a user’s bank. As part of the ruse, the attackers send emails posing as creditors telling recipients to follow a malicious link to learn more. From there, the app is downloaded and the theft begins.

The crooks have targeted not only banking customers, but also cryptocurrency exchanges and fin-tech companies, the researchers said.

“Latin American cybercriminals’ desire for a mobile-banking trojan with a worldwide reach has a long history,” said Assolini. For example, crooks previously used a different hacking tool that emerged from the Brazilian cybercriminal scene to target customers at several banks in Spain.

Whoever is behind Ghimob could be affiliated with another notorious banking trojan known as Guildma, the researchers said. Guildma has been used in prolific spamming operations, accounting for 10 times as many victims as other Latin American trojans, security experts at anti-virus company ESET said in March.

Cybercrime has long dogged the financial sector in Brazil, South America’s largest economy. A surge in coronavirus cases in Brazil was accompanied by hundreds of malicious COVID-19-related websites looking to rip people off.