As we count days down to the end of the first quarter of the year.
New threats are emerging in the wild and going on a rampage. This week’s new kid on the malware block is CHAVECLOAK, a banking trojan which’s first mode of attack is phishing emails bearing PDF attachments. According to Cara Lin, a researcher at Fortinet FortiGuard Labs. “This sophisticated attack entails the PDF retrieving a ZIP file, then employing DLL side-loading methods to initiate the ultimate malware
“The attack sequence entails the utilization of DocuSign-themed bait to deceive users into opening PDF files with a button prompting them to review and sign the documents. Pressing the button results in fetching an installer file from a remote link that has been shortened using the Goo.su URL shortening service.
Contained within the installer is an executable file called "Lightshot.exe" which utilizes DLL side-loading to load "Lightshot.dll," serving as the CHAVECLOAK malware responsible for stealing sensitive information. This involves collecting the system’s metadata and checking if the infected machine is in the targeted location. If it is, it monitors the active window for specific banking-related terms and when it gets a match, it connects to a command-and-control server to gather and send out information to different server endpoints based on the targeted financial institution.
According to Lin, the malware enables credential theft by blocking the victim's screen, logging keystrokes, and displaying fake pop-up windows. "The malware actively tracks the victim's usage of particular financial websites, including both conventional banking and cryptocurrency platforms." Lin concluded that the appearance of the CHAVECLOAK banking Trojan highlights the changing nature of cyber threats aimed at the financial industry, particularly targeting users in Brazil.
MITIGATIONS
● Security Awareness Training: Train Staff about phishing tactics and the importance of not clicking on suspicious links or downloading attachments from unknown sources.
● Email Filtering: Ensure to implement the use of email filtering solutions to detect and block phishing emails containing malicious attachments or links associated with chavecloak.
While Chavecloak definitely looks like one to keep an eye on, Fret Not!!!!!!!! For at Cybervergent, we always have a solution to put your cyber fears to rest. And as we know the month of March is the month of “World Backup Day”. Let us be your bulletproof, your shield and your back up.
You can trust our 24/7 Monitoring and incident response professionals in our SOC to quickly detect, contain, and eradicate CHAVECLOAK and other malware infections in the event of a security incident.