High-end banking malware hits Brazil

In the past two weeks, IBM's X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda targeting Brazilian financial institutions, according to a new report

Brazil just can't catch a break. We've already seen flesh-eating bacteria in the water, athletes getting robbed on the streets, and police officers holding up a "welcome to hell" sign at the airport. Plus a wide variety of cybercrime, including phishing attacks and credit card skimming machines.

Now the criminals are getting even more sophisticated. In the past two weeks, IBM's X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda, according to a new report.

"This is considered sophisticated malware, and this kind of sophistication is not typical for Brazil," said Limor Kessem, executive security advisor for IBM Security. "This is definitely a step up from what we usually see in Brazil."

Brazilian malware is typically scripts or browser extensions, not a complex modular software product like Zeus, she said.

The way that it works is that both strains of malware target Brazilian computer users, then wait for the users to access their online banking or payments accounts. They then intercept the communications, modify the websites, steal credentials, and redirect the payments.

It is likely that the attackers are based in Brazil or have local partners, she said.

The malware communicates back to central command-and-control servers to download customized configuration files, she explained. In these two cases, the files have been customized to attack three major Brazilian banks and a Brazilian payment system, as well as one bank in Colombia.

Adding a new banking target requires the the attackers create a social engineering injection that precisely mimics a bank's look and feel and requires an understanding of the bank's authentication methods.

"They are able to manipulate what the persons sees when they visit the page," Kessem said. "For example, in addition to a login and password, they might also ask for a Social Security number and their mother's maiden name."

This is where local knowledge comes in handy.

"In the past, a lot of times, cybercriminals going after countries where they don't speak the language would have a lot of spelling mistakes, and that would be a sign that something isn't right," she said. "Now that they collaborate with people who are local, they have more of an ability to say the right things in the right way, and have more knowledge of how that bank works and have a better chance of defrauding accounts."

As a result, adding a new target becomes fairly easy, she said. All the criminals have to do is modify the configuration file. "It's fairly easy to do and criminals can do that at any time."

The core source is the same for both Panda and Sphinx, and both are based on the Zeus source code that was leaked in 2011 and has become a popular base for commercial malware sold on underground boards, she said.

Zeus Panda is extremely localized, she said. In addition to local banks, it targets a supermarket that delivers food, a police agency, and a Bitcoin exchange.

The Bitcoin exchange is probably being used to help the criminals launder their ill-gotten gains, Kessem suggested.

Zeus Sphinx targets Brazilian banks as well, but also goes after the popular Boleto Bancário payment platform, which allows users to go online and send money orders.

Sphinx first emerged a year ago, first attacking banks in Australia and the U.K.

Kessem did not have any data about how much financial damage these attackers are causing Brazil. In 2014, however, RSA issued a report that a Boleto malware fraud ring had compromised nearly $4 billion worth of transactions over the previous two years.

IBM currently monitors 270 million endpoints worldwide, Kessem said. After spotting the malware, the company notified the targeted institutions and local law enforcement authorities.

She declined to name the specific institutions targeted by the malware.

Join the PC World newsletter!

Error: Please check your email address.

Tags cyber attack

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Maria Korolov

Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?