Search

Economic Growth, Digital Inclusion, & Specialized Crime: Financial Cyber Fraud in LATAM

Updated: Oct 8

By Beatriz Pimenta Klein

This Research is the first part of the AdvIntel LATAM Series. To see other blogs within this series please visit:


Part 1: Latin America Threat Landscape: The Paradox of Interconnectivity


Part 2: Cyber Exploration: The Geostrategic Quest of APT Groups in LATAM


Key Takeaways:

  • Due to political and subsequent economic instability experienced in Latin American countries, which tend to devalue currencies, cryptocurrencies are an easy alternative to conserve one’s personal wealth. This financial option has proven to be the preferable choice of many Latin Americans due to the safety and facility to engage in transactions, especially when sending money to family and friends abroad. Indeed, in a global poll, LATAM is the region with the highest number of cryptocurrency users.

  • With the recent possibility to open a bank account online, a trend emerges: identity theft and consequential fraudulent new bank accounts. Again, Brazil holds 1st place in the Latin American ranking of identity theft crimes: yearly, the country faces a loss of $60 billion Brazilian reais (approximately $11,3 billion). Fraudulent bank accounts allow the cybercriminal to sign loan contracts and contract debts in another person’s name. These activities do not only affect the victim and the bank but also negatively impact the whole dynamic of DFS, implying further regulations that might hinder financial inclusion and positive user experiences.

  • Furthermore, malicious software variants are spread throughout Latina America. Previously these malware variants did not originate in the region; however, new communities of Spanish and Portuguese-speaking hackers changed this reality.

  • Globally, the financial sector is the second most affected sector by cybercrime - behind only retail. This reality is not different in LATAM. Banks and other financial institutions face challenges that regard fraud, be it due to identity theft (as discussed above) or trojan and backdoor mechanisms. The Emotet botnet (targeting mostly banks) presence in the region represents 45% of the global employment of the tool. In general, in 2019, LATAM suffered 85 billion attack attempts in regards to malware variants and botnet activity, the most affected country is Brazil with 24 billion cyberattacks in a year.

Introduction

The causes for financial cybercrime in LATAM have been discussed in a previous AdvIntel report, in the current report, a few case studies were selected to illustrate the diversity of the Latin American financial cyberthreat landscape.

Along with and driven by the boom of online shopping and balkanization, Latin America also experiences the emergence of different types of frauds and further financial cybercrimes. Previously only portrayed as targeted victims, Latin American countries are starting to witness the creation of hacker groups capable of deploying cyber attacks in the region and elsewhere. Latin American cybercriminals have been developing their own codes in Spanish and Portuguese languages and launching national and regional attacks, and now they have grown to a point that they started a process of cyber-internationalization.

This report is structured as follows: there will be a brief discussion followed by case studies for three subsections, namely the case of cryptocurrencies, financial crimes targeting users, and crimes targeting financial institutions.

Cryptocurrency-Related Cybercrimes

With the rising popularity of cryptocurrencies, banking trojan families are no longer targeting only formal banking institutions and their users. The design of banking trojan variants increasingly includes functions related to cryptocurrency wallets. In Latin America, where these currencies are progressively popular, fraud schemes that encompass cryptocurrencies are a trend.

Due to political and subsequent economic instability experienced in Latin American countries, which tend to devalue currencies, cryptocurrencies are an easy alternative to conserve one’s personal wealth. This financial option has proven to be the preferable choice of many Latin Americans due to the safety and facility to engage in transactions, especially when sending money to family and friends abroad. Indeed, in a global poll, LATAM is the region with the highest number of cryptocurrency users.

5 Latin American countries stand in the top 10 countries with the highest number of crypto users.


Despite the positive aspects of cryptocurrency, its vast use does not come unaccompanied by negative consequences. Due to blockchain technology, which allows for the almost absolute untraceability of transactions, these currencies are being used for money laundering purposes. According to “The Dark Side of America Latina” report, this malicious use takes place in three ways:

  1. Through a cryptocurrency tumbler, which mixes legitimate crypto with compromised ones (dark web crypto, for instance);

  2. Benefiting from the lack of or weak national regulations when it comes to know-your-customer (KYC) and anti-money laundering (AML) policies;

  3. Resorting to illegal peer-to-peer (P2P) exchanges to launder illicit cryptocurrencies.

As a result, 97% of all washed cryptocurrencies end up in LATAM, due to the loose regulations displayed by these countries. What can be inferred from these pictures is that Latin America offers great opportunities for cryptocurrency-related crimes.

Yet, as in any space where financial transactions occur, cryptocurrency wallets are targets for cybercriminals. Users are not spared from cybercriminal activities, and we have been witnessing the creation of malicious software variants targeting users. A few case studies are offered below to illustrate the current situation crypto users are vulnerable to.

Case Studies

Metamorfo, the Banking Trojan with Cryptocurrency Theft Mechanisms

Metamorfo, also called Casbaneiro, was first spotted in May 2018 in Brazil, and since then, it has been quickly spreading through Latin America. Mexico is their second most-targeted country; yet, infections have also been recorded in the US, Chile, Argentina, Peru, Ecuador, and Spain. Metamorfo targets more than 20 online banks in Brazil and around 7 in Mexico. The malware variant is believed to be of Latin American origin, among other reasons, due to its capability to scan, detect, and target specific Latin American banking applications available at the infected device.

Infection vectors employed by Metamorfo’s campaigns are mainly phishing emails with attached malicious files. Yet it can also be delivered through fake update messages from WhatsApp, Spotify, and Onedrive that mimic official communication, and that will induce the user to download the malicious file that contains the malware variant.

Once Metamorfo infects the machine, its backdoor capabilities, which are very common among Latin American banking trojan families, include: taking screenshots (that are sent to the C&C server), keylogging (keystrokes recording), simulating mouse and keyboard actions, and restricting access to specific websites. Besides that, Metamorfo can also download and execute supplementary executable files, additional malware variants such as cryptocurrency miners, ransomware variants, and further malicious software families. It is interesting to note that Metamorfo uses Youtube to host its C&C servers’ domains. The YouTube accounts used are related to cooking recipes and football.

Beyond the above-mentioned capabilities, Metamorfo also collects the user’s operational system version, user name, device name, and all installed anti-virus solutions. Finally, Metamorfo verifies which banking applications the machine holds, especially security ones, such as Diebold Warsaw, and Trusteer.

The banking trojan variant constantly monitors the victim’s activity to collect online banking credentials; it then displays a fake version of the banking website that mimics the official one, so the user inserts their credentials into this fake mechanism.

Their technique regarding cryptocurrency theft is increasingly common in Latin American banking trojan families. The user records their receivers’ addresses in their cryptocurrency wallet. When the user wants to perform a transaction (transfer or deposit), they will usually copy and paste the intended address into the transaction page. Metamorfo intervenes in this dynamic by substituting the copied address (with the intended receiver’s address) with another criminal address.

Mitigation Note

  • The mitigation of the banking trojan issue is done through a combined strategy between technological and behavioral measures. In terms of behavior, users must be engaged with cybersecurity best practices, which include knowledge about how to identify phishing emails and how to act in the case. Users must also be skilled with basic knowledge to identify fake communications of official applications and services, in order not to download fake files that mimic authentic programs.

  • In technological terms, the user must run potent and updated security solutions. These tools will help the user to identify and remove potential threats before infection; and in the case of infection, it will support the user with a fast incident response action plan.

VictoryGate, Cryptojacking Botnet

Is no surprise that cybercriminals are developing malware variants that are cryptocurrency-related. One of these variants is the malware type known as cryptojacking, which is the undercovered and malicious use of a victim’s device to mine cryptocurrencies. VictoryGate is exactly this type of malware.

VictoryGate was first spotted in May 2019, and it targets mainly Latin American users. More specifically, it targets Peru, where 90% of infected machines are located. The cryptojacking nature of VictoryGate means that what cybercriminals are looking for is the computational power of their victims, and not money or other types of information. VictoryGate works, then, as a botnet - a network of machines interconnected to a server and that will mine cryptocurrencies without the consent of the machines’ owners. There are no specific victims: there were reported victims both in public and private sectors, which also included financial institutions.

In this specific case, the malware variant is specialized in the Monero (XRM) cryptocurrency. This specific cryptocurrency is increasingly popular among cybercriminals, due to their focus on privacy. This privacy feature and the consequential use of the cryptocurrency for illicit activities made exchange platforms exclude Monero from their accepted cryptocurrencies. The second feature of Monero that also contributes to their popularity among hackers is their miner algorithm being resistant to ASIC miners, which allows domestic mining (without the use of a specific miner machine).

Over 35.000 machines are believed to be infected by VictoryGate from 2019 on. By February and March 2020, 2.000 infected machines connected to the malware server daily, mining more than 80 XMR (approximately $6.000).

Their main infection vectors are infected USB drives. When these USB drives are connected to the victim’s machine, it installs the malware VictoryGate. The malware code contains an Autolt agent that constantly scans new USB units, which allows the malware variant to spread to additional machines. The botmaster is also capable of updating the functionalities of VictoryGate, which increases the level of threat posed by this malware variant since their functionalities can evolve into any sort of malicious tool.

Mitigation Note

  • Having a robust cybersecurity solution is the first step to mitigate the threat of cryptojacking malware variants. These tools are constantly scanning the machine for unusual and suspicious usage of the CPU, which can rapidly detect the presence of a cryptojacking malware such as VictoryGate - a malware variant that can use up to 90% of the CPU capacity of the machine.

  • Since their main infection vectors are USB drives, critical machines must be spared from the use of such devices, which can be easily infected. Running the antivirus solution on the drive before opening any file contained in it is also an important step to prevent infection.

Financial Crimes Targeting Banking

Besides the specific cases of cryptocurrency users and crimes targeting their wallets, multiple financial cybercrimes are affecting online banking users. Only in the first semester of 2020, financial data theft rose 43% in Brazil, for instance. This type of statistic indicates the undermining effect such crimes have on the level of trust of users in digital financial services (DFS). In a region with comparatively low levels of financial inclusion, low trust in DFS can have relevant impacts on the economic growth and international integration of such countries.

With the recent possibility to open a bank account online, a trend emerges: identity theft and consequential fraudulent new bank accounts. Again, Brazil holds 1st place in the Latin American ranking of identity theft crimes: yearly, the country faces a loss of $60 billion Brazilian reais (approximately $11,3 billion). Fraudulent bank accounts allow the cybercriminal to sign loan contracts and contract debts in another person’s name. These activities do not only affect the victim and the bank but also negatively impact the whole dynamic of DFS, implying further regulations that might hinder financial inclusion and positive user experiences.

Furthermore, malicious software variants are spread throughout Latina America. Previously these malware variants were not originated in the region; however, new communities of Spanish and Portuguese-speaking hackers changed this reality.

Case studies

Three-in-One: Mekotio, the Banking Trojan with Multiple Functions

New hacker groups increasingly flourish in Latin America, creating their own communities of Spanish/Portuguese-speaking cybercriminals. Within these groups, banking trojans families are fairly common across the region. These malware variants are usually looking for private financial information from internet banking users. Yet a new form of banking trojan emerges: variants that are looking for cryptocurrency. Mekotio is a fairly new malware variant, and it is one example of this new type of banking trojan.

First spotted in March 2018, the Mekotio campaign usually targets South American countries. Over 50% of their attacks target Chile, around 30% target Brazil, 12% target Colombia; Peru, Argentina, Ecuador, and Bolivia are minor targets. More recently, though, Mexico has also become a target for Mekotio campaigns. Their targets are 51 financial institutions distributed across the above-mentioned countries.

Their infection vectors are phishing emails with malicious links. These emails mimic official governmental agencies, and the message is usually about taxes and receipts. When the user clicks on the malicious link, the webpage requests the user to download a .zip file, and the malware variant then infects the machines.

Mekotio has three major functions: stealing banking information, cryptocurrencies, and passwords stored in a web browser. Concerning banking information, Mekotio monitors accessed webpages, and when the user accesses their banking page, the malware variant displays a fake banking website that mimics the official one. Upon insertion of personal credentials, Mekotio sends this information to their server.

In order to steal stored passwords, the malware variant is designed to be executed as a user application. The encryption mechanisms employed by password managers are designed to allow decryption only by the same user of the operating system that first encrypted it. As such, Mekotio can decrypt such information. These passwords might be linked to banking information or they can be related to other personal accounts, such as email, social media, storage database, etc. Consequently, this is a highly threatening feature.

To conduct a cryptocurrency transaction, the user must have the receiver’s address in their cryptocurrency wallet. So these addresses are usually copied and pasted to the transfer/deposit area. When the user’s machine is infected by Mekotio, the address pasted to the transfer/deposit area will not correspond to the intended copied address. However, the user will usually not note such a difference and will carry on with the operation; consequently, the cybercriminal will receive the cryptocurrencies, instead of the intended receiver.

If the cybercriminals behind Mekotio are interested in cryptocurrencies, it means that these actors are targeting specific individual users, not any person. It means that these cybercriminals somehow monitor cryptocurrency users to target them specifically.

Mitigation Note

  • Since their infection vector is mainly phishing emails, cybersecurity best practices must be employed to avoid infection. These measures include not opening suspicious/unknown emails, and especially not clicking on any link contained in these emails. The same is valid for files contained in these unidentified emails.

  • Systematically running anti-virus solutions is also of great importance, so even if the machines get infected, the user can still be safe.

  • Concerning cryptocurrency theft, it is essential to always check the cryptocurrency wallet and to verify if the address in the transaction area is indeed the intended receiver of the cryptocurrency deposit/transfer.

WannaHydra, 3-in-1 Brazilian Banking Trojan

The WannaCry ransomware global campaign in 2017 seems to have left its legacy. After its massive attack three years ago, WannaLocker, a mobile adaptation of WannaCry emerged. Yet, this was not the final stage of the evolution of this malware family. WannaHydra is a new malware variant that draws on the WannaCry-inspired WannaLocker, but with added malicious functions.

So far, WannaHydra has only been identified in Brazil, but it definitely has the potential to spread elsewhere and cause great damage as its predecessors did.

The newly designed WannaHydra is a malware variant that affects iOS and Android users in a campaign that targets exclusively Brazilian online banking clients. Three banks have been identified as targets of the malware variant: Itaú, Santander, and Banco do Brasil. The most important and distinctive feature of WannaHydra is the fact that it combines three types of attack in just one malware variant: WannaHydra displays features, at the same time, of a remote-access-Trojan (RAT) malware, spyware, and ransomware. All of these characteristics combined in one solid banking Trojan. In fact, WannaHydra has the same User Interface as WannaCry in its ransomware module, but, as above-cited, it has more capabilities than its predecessor.

It is not confirmed how the malware variant infects mobile phones. Yet, as WannaHydra mimics official online banking apps, the most probable infection vector is through download in unofficial app stores or malicious links. Then, WannaHydra’s modus operandi is the one that follows: once the app has been installed on the victim’s phone, the malware variant executes its banking Trojan function and delivers a warning to the victim, alleging a problem in the user’s bank account. It then portrays an interface that mimics the official bank’s app and requires some login information. This information might include the user’s social security number, credit/debit card number, and password - and this sort of information is not usually required by authentic banking apps. When the user provides this information, the cybercriminals behind WannaHydra get access to the victim’s bank account.

After this first data breach, WannaHydra activates additional functions. The first one activated is the spyware function, and the malware variant carries on collecting all sorts of personal information from the victim. This information may include GPS location, microphone recording, storage media, call logging, SMS, hardware information, among others. This sort of data is used for ransomware attacks: WannaHydra utilizes a Portuguese version of WannaLocker, which, additionally to all the above-cited breached information, also has the capability to activate the smartphone’s camera and take pictures. The device is then encrypted and a ransomware attack takes place.

Due to the novelty of the malware variant, it has not been disclosed how much money is demanded in ransom payment. Another still unknown information is the number of victims affected by WannaHydra.