Full Report
Kaspersky GReAT experts describe the unprecedentedly complex Brazilian banking Trojan GoPix that employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks, and malvertising via Google Ads.
Analysis Summary
# Tool/Technique: GoPix
## Overview
GoPix is a sophisticated banking Trojan identified by Kaspersky GReAT, specifically targeting Brazilian financial institutions and users of PIX (Brazil's instant payment system). It is notable for its use of "malvertising" via Google Ads as the primary infection vector and its heavy reliance on memory-only execution to evade traditional disk-based detection mechanisms.
## Technical Details
- **Type:** Malware Family (Banking Trojan)
- **Platform:** Windows
- **Capabilities:** MitM attacks via PAC files, memory-only execution, screen capture, keylogging, and financial transaction manipulation.
- **First Seen:** Approximately December 2022 (with increased activity in late 2023)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link (via Malvertising)]
- **[TA0002 - Execution]**
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- **[TA0005 - Defense Evasion]**
- [T1027.011 - Obfuscation/Execution: Archive via Library]
- [T1620 - Reflective Code Loading (Memory-only implants)]
- **[TA0006 - Credential Access]**
- [T1557.002 - Adversary-in-the-Middle: ARP Poisoning / PAC redirection]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1056.001 - Input Capture: Keylogging]
## Functionality
### Core Capabilities
- **Malvertising Distribution:** Uses Google Ads to display fraudulent links for popular software (e.g., WhatsApp, Zoom) that redirect users to a malicious installer.
- **Memory-Only Operation:** The malware utilizes a "loader" to fetch and execute the final payload directly in the system's RAM, leaving no trace of the primary Trojan on the physical hard drive.
- **Financial Redirection:** Specifically targets the PIX payment system by monitoring the clipboard for PIX keys and replacing them with the attacker's key.
### Advanced Features
- **PAC (Proxy Auto-Config) Manipulation:** Configures the victim's browser to use a malicious PAC file. This allows the attacker to intercept and redirect traffic to specific banking domains (Man-in-the-Middle).
- **Environment Checking:** Performs sophisticated checks to detect if it is running in a virtual machine or sandbox environment before executing the malicious payload.
- **NSIS Packaging:** Uses Nullsoft Scriptable Install System (NSIS) installers with highly obfuscated scripts to drop the initial loader.
## Indicators of Compromise
*(Note: Data derived from the Kaspersky GReAT report summary)*
- **File Hashes (SHA256):**
- `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` (Example Loader)
- **Network Indicators:**
- `settastats[.]com` (C2/PAC hosting)
- `aws[.]amazon[.]com/s3/` (Abused for hosting initial payloads)
- **Behavioral Indicators:**
- Unexpected changes to "Automatic Proxy Setup" in Windows settings.
- PowerShell or VBScript spawning from suspicious NSIS setup files.
- Modification of the system clipboard when alphanumeric strings (PIX keys) are detected.
## Associated Threat Actors
- Unknown (Likely a Brazil-based cybercrime group specialized in local financial systems).
## Detection Methods
- **Signature-based:** Detection of the NSIS loader and the specific obfuscation patterns used in the VBS scripts.
- **Behavioral:**
- Monitoring for unauthorized modifications to browser proxy settings (`inetcpl.cpl`).
- Monitoring for "reflective loading" or "process hollowing" behaviors where code is executed in memory without a backing file.
- **Network:** Identifying connections to known malicious domains hosting `.pac` configuration files.
## Mitigation Strategies
- **User Training:** Educate users on the risks of clicking sponsored results in search engines (Google Ads).
- **Browser Security:** Implement policies that restrict or alert on the use of Proxy Auto-Config (PAC) files.
- **Endpoint Protection:** Use EDR (Endpoint Detection and Response) solutions capable of scanning system memory and monitoring API calls associated with reflective loading.
- **Clipboard Auditing:** For financial departments, utilize software that validates PIX keys or clipboard integrity.
## Related Tools/Techniques
- **BrazKing:** Another Brazilian banking Trojan with similar targeting.
- **Grandoreiro:** Part of the "Tetrade" family of Brazilian Trojans that uses similar overlay techniques.
- **Living off the Land (LotL):** Heavy use of legitimate Windows components (VBScript, PowerShell) to facilitate infection.