PIX Payment Users Beware: New GoPIX Malware Targets WhatsApp Web Searchers

A new malware called GoPIX is targeting users of Brazil's popular PIX instant payment system. The malware is disguised as a WhatsApp web installer and is spread through malicious ads served on search engine results pages (SERPs).

How the Attack Works:

When a user clicks on a malicious ad, they are redirected to a fake WhatsApp web download page. If the user's machine has port 27275 open, they will download a ZIP file containing an LNK file that embeds an obfuscated PowerShell script. This script will then download the next stage of the malware. If port 27275 is closed, the user will download an NSIS installer package directly.

What GoPIX Does:

Once installed, GoPIX functions as a clipboard stealer malware. This means that it can hijack PIX payment requests and replace them with an attacker-controlled PIX string. The malware can also substitute Bitcoin and Ethereum wallet addresses.

Other Campaigns Targeting Messaging App Users:

This is not the only campaign to target users searching for messaging apps on search engines. In a new set of attacks concentrated in the Hong Kong region, bogus ads on Google search results have been found to redirect users to fraudulent lookalike pages that urge users to scan a QR code to link their devices. Scanning the QR code links the threat actor's device to the victim's WhatsApp account, granting the malicious party complete access to their chat histories and saved contacts.

Malwarebytes also discovered a similar campaign that uses Telegram as a lure to entice users into downloading a counterfeit installer from a Google Docs page that contains injector malware.

Grandoreiro Targets Spain and Mexico:

A new version of the Brazilian banking trojan Grandoreiro is targeting victims in Mexico and Spain. The campaign is being attributed to a threat actor known as TA2725, which is known for using Brazilian banking malware and phishing to target entities in Brazil and Mexico. The targeting of Spain points to an emerging trend wherein Latin American-focused malware are increasingly setting their sights on Europe.

Stealer Malware on the Rise:

Information stealers are flourishing in the cybercrime economy, with crimeware authors flooding the underground market with malware-as-a-service (MaaS) offerings. Such tools lower the entry barrier for aspiring threat actors who may lack technical expertise themselves.

One of the latest stealer malware to emerge is Lumar, which can capture Telegram sessions, harvest browser cookies and passwords, retrieve files, and extract data from crypto wallets.

Conclusion:

Users of messaging apps and online payment systems should be vigilant for phishing attacks and malicious ads. It is important to only download apps from official sources and to be careful about clicking on links in unsolicited emails or messages.

Organizations should also implement security measures to protect their employees from these types of attacks, such as educating employees about phishing and malware threats, using web filtering and email security solutions, and keeping software up to date.

Join the cause:

Join me in this cause to raise awareness about cybercrime prevention and protect ourselves and our loved ones online. Together, we can make the internet a safer place for everyone.

Call to action:

Share this article with your friends and family, and encourage them to take steps to protect themselves from cybercrime.

#security?#work?#design?#cyberawareness?#cybercrime?#cyberhygiene?#soc?#ciso?#cio?#cissp?#ceh?#riskassessment?#isms?#pcidss?#compliance?#cybersecurity?#startup?#ransomware?#threatintelligence?#threathunting?#technology?#projects?#maintenance?#opportunities?#administration?#riskmanagment?#cybersecurity?#supplychainresilience?#data?#digital #vCISO

?

Sources

?

(1)? ?https://thehackernews.com/2023/10/malvertising-campaign-targets-brazils.html?m=1

?