Cybercrime: Groups Behind “Banload” Banking Malware Implement New Techniques


Cybercrime: Groups Behind “Banload” Banking Malware Implement New Techniques (May 13, 2019)

The threat group behind the “Banload” banking malware, which is believed to be based in Brazil, have been found to have added some new features to their malware, according to SentinelOne researchers and security researcher(s) “MalwareHunterTeam.” The new feature is a driver component called “FileDelete” that is used to locate and subsequently remove drives and executables associated to antivirus and “banking protection” programs. Once Banload is installed on a machine, it uses the “Golang” loader which uses PowerShell to install the FileDelete driver to the local directory. FileDelete is capable of removing packages belonging to multiple security products such as: Avast, AVG, Rapport, Trusteer, and the Bradesco software “scpbrad.” The threat actors attempt to conceal their malicious activity by digitally signing FileDelete with a “Thawte Code Signing Certificate” to make the malicious activity appear legitimate.

Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.