Banks have traditionally been a very attractive target for attackers, as they represent the possibility of instant money; however, thanks to regulations such as PCI (Payment Card Industry) that strengthen security controls to protect bank accounts, criminals are looking for other attack vectors with fewer restrictions. One of them is to compromise the weakest link, being the cardholders, with a strategy based on tricking them into handing over their online banking access credentials and thereby, the control of their bank account.
Ocelot has been monitoring since January 2021 a new variant of the Janeleiro banking trojan, known for attacking banking users in Brazil. This new campaign attacks users who use online platforms of Mexican banks, as well as users of Bitso (the platform for buying and selling cryptocurrencies based in the same country), for which it was named Janeleiro.mx.
The method used by cyber attackers to implant this malware in their victims' machines is by sending targeted emails, known as spear phishing, which download the new Janeleiro.mx variant from legitimate but compromised websites. Once the malware is on the computer, it monitors the victim's browser waiting for them to connect to a Mexican online bank, and then generates fake pop-up windows, pretending to be legitimate forms from the leading Mexican banks. The objective of the fake forms is to trick victims into entering their banking credentials and personal information, and thus gain unauthorized access to their bank accounts.
Previously, cybercrime was characterized as an activity carried out individually. New research now points to possible collaboration between cybercriminals from different regions, who have broken down time and language barriers, in order to establish close cooperation and boost the development of malicious tools. Therefore, cooperation in research and intelligence is also critical in dealing with cybercriminal groups.
In this regard, and due to the continuous activity of the campaign in Mexico and the number of people who are exposed, Metabase Q and Ocelot have decided to share the results of the research, hoping that it will help prevent future infections by the malicious group.
We encourage organizations to strengthen their threat monitoring, detection and eradication skills by proactively simulating ransomware and other malware in their organization through our APT (Advanced Persistent Threats) Simulation service.
To learn more about Janeleiro.mx, as well as its tactics, techniques and procedures, you can download the full report.