Client Maximus: New Remote Overlay Malware Highlights Rising Malcode Sophistication in Brazil

This post was co-authored with IBM X-Force researchers Or Safran and Lior Keshet.

---

The Brazilian malware landscape is notorious for its plethora of Delphi-based code and overall lack of sophistication. But much like the Russian-speaking malware scene, Brazilian cybergangs have been using better malware, such as the recently discovered Client Maximus, in their attacks.

In the summer of 2016, malware like Zeus Panda and Sphinx were spotted in Brazil. Those were followed by intensifying infection campaigns, all targeting Brazilian banks and payment platforms, according to data from IBM X-Force Security Research. Later in the year year, our researchers spotted a new, real-time phishing attack in Brazil, which introduced automation and agility to classic phishing attacks.

It quickly became clear that cybercriminals in Brazil are collaborating with counterparts from other, more sophisticated threat landscapes and importing code and expertise to launch attacks in their own country.

Enter Client Maximus

We recently encountered a case in Brazil that reflects this ongoing trend. Client Maximus is a new malware code that appears to have been written specifically for attacks on Brazilian banks. The malware was recently analyzed alongside other components related to it, leading to further findings and a greater overall understanding of the growing sophistication of cybercrime tools in Brazil.

The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.

Check out the infection routine and further info here.