#latamhackers: Week 5 - Expansion of Malware Overseas

This post is a part of our #latamhackers series, a 5-week series about some of the top techniques used by hackers in Central and South America.

#latamhackers Series

During our 5-part series, Phishing for Answers details the most utilized hacking techniques in Latin America. Each post will include a summary of the technique, a recent example, and recommended mitigation measures.

Last week, we discussed how regional hackers rely on user execution to spread malware across targeted networks (read more here: #latamhackers: Week 4 - Geographic Targeting). This week marks our final week of the series, and we will discuss how these groups sell their malware overseas.

Here is the full list of techniques:

1. Spearphishing

2. Commodity tools

3. Reliance on user execution

4. Geographical targeting

5. Expansion of tools overseas

#5: Malware Expansion Outside of Latin America

Summary:

As previously mentioned, Latin American hackers are generally region-specific in their campaigns. However, Brazilian banking trojans have notably deviated from this tendency. A recent pattern is emerging in which this banking malware is developed in Brazil, used in Latin America, and then expanded to Europe. In fact, Brazilian cybercriminals are rapidly expanding their malware to target European banking customers  (e.g., in the cases of Bizarro, Guildma, Amalvado, Javali, Melcoz, and Grandoreiro).

Example:

In 2019, a malware known as BRATA (Brazilian Remote Access Trojan Android) began spreading on Android devices in Brazil. In June 2021, security research firm Cleafy identified the presence of BRATA variants in Italy. Just one year later, in June 2022, new variants of BRATA appeared throughout Europe and were classified as characteristic of APT activity. The spread of BRATA from Brazil to Europe indicates that the creators either gave it to internal overseas operatives or sold it to European hackers.

Mitigation measure:

Banking and other financial institutions should strengthen their online customer authentication processes, adopt strong fraud detection capabilities, monitor relevant threats, and implement vulnerability scanning.

Looking Forward

Despite the growing sophistication of these APTs, the cyber threat landscape in Latin America is frequently underreported in the broader industry. There are some important reasons why this is the case. First of all, threat actors in the region tend to be more financially motivated rather than aligned with strategic government objectives. Therefore, they have less resources and operate on a smaller scale compared to well-funded adversaries. Additionally, attribution is especially difficult amongst Latin American hackers, given their use of open-source malware and common languages.

That said, the cyber community should expect to see growing sophistication in Latin American cybercrime. Foreign influence in the region, whether economic, political, or technological, is growing. Nations with historically robust cyber capabilities, such as Russia, China, and Iran, are increasingly investing in Latin American digital infrastructure. The Venezuelan government, for example, adopted  Chinese tracking technologies and organized meetings with federal Russian cybersecurity officials. This foreign influence could equip regional hacking groups with more advanced techniques.

From Mexico to Argentina, APT groups continue to hack network systems and challenge industry assumptions of their capabilities. These hackers are contributing to the global cyber problem, and in order to solve it, the tech community must be informed on all regions of the world.

Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-02304-5. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.©2022 The MITRE Corporation. ALL RIGHTS RESERVED.