When we analyze the most prevalent threats in Latin America, we see the same malware families across the region. In Brazil, however, there is a different situation. Not only is Brazil one of the most populated countries in the world, but it is also one of the countries with the highest percentage of Internet users using online banking. That is why Brazil is the country where banking trojans are the number one threat.
Throughout 2013 and 2014, we received and analyzed a considerable amount of CPL malware in our Latin American Research Lab, 90% of which came from Brazil. Of those malicious files, 82% of them are some variant of Win32/TrojanDownloader.Banload family; their main goal is to download and install banking trojans in infected systems.
Why do cybercriminals in Brazil use CPL files more and more? What advantages do they provide? The results of this investigation and the answers to several of these questions are in our white paper “CPL malware in Brazil: somewhere between banking trojans and malicious emails”.
First we discuss what CPL files are, how they work and how cybercriminals use them. We show the different methods used to propagate these threats and provide examples of emails, institutions and names of the files used to deceive users by means of Social Engineering techniques.
Then, we analyze the different routines that are executed in these files when a system is infected, as well as the purpose behind the attack, detailing some tricks used to complicate analysis, hide information and frustrate execution in virtualized environments.
Finally, we discuss the scope, statistics and impact of this attack, detailing how, over time, the use of CPL files by cybercriminals in Brazil has ceased to be a new or an isolated event, and has become a trend in itself.
This paper will help you understand the use of CPL files as a threat to users in Brazil, and the different techniques cybercriminals utilize to propagate them. Learn not only how to understand how CPL malware works, but also how to learn to protect yourself from these attacks.
by Matías Porolli, ESET