Posted: 4 Min ReadThreat Intelligence

Almost 100 Organizations in Brazil Targeted with Banking Trojan

Recent campaign shows that this kind of activity is an ongoing threat for organizations and individuals in Latin America.

Up to 100 organizations in Brazil have been targeted with a banking Trojan since approximately late August 2021, with the most recent activity seen in early October.

This campaign appears to be a continuation of activity that was published about by researchers at ESET in 2020. The attackers appeared to be undeterred by exposure and Symantec, a division of Broadcom Software, has found a large number of new indicators of compromise (IOCs) relating to this latest wave of attacks.

Symantec’s Threat Hunter Team first became aware of this recent campaign when suspicious activity was spotted in a customer environment on September 30, 2021. This initial suspicious activity was detected by our Cloud Analytics technology, and further investigation found that attempts were being made to download a suspicious file named mpr.dll onto the customer’s environment. Msiexec.exe was attempting to download the file from a suspicious URL. Further analysis indicated that five files were downloaded, four of which were signed and appeared to be legitimate DLL files, but the file named mpr.dll was not signed and was suspiciously large for a single DLL file at 588 MB. Symantec researchers concluded that this was a “Latin American banking Trojan”, due to the similar characteristics and file names seen in this campaign and in the research into Latin American banking Trojans published by ESET in 2020.   

Further investigation by our analysts revealed similar activity had been aimed at multiple different organizations since late August 2021. In fact, as many as 98 organizations may have been targeted with similar activity, with all affected organizations based in Brazil.

The sectors targeted with this activity included information technology, professional services, manufacturing, financial services, and government.

What is a “Latin American banking Trojan”?

Banking Trojans are a type of malware designed to steal victims’ online banking information so malicious actors can access victims’ bank accounts. Once on a machine, the malware typically works by monitoring the websites victims are visiting and comparing these to a hardcoded list. If the victim visits a banking website the Trojan will generally display a spoofed login page in a pop-up over the legitimate page in an attempt to harvest victims’ banking credentials. These pop-ups are generally made to imitate the specific banks’ legitimate login pages and are often quite convincing.  

While once one of the biggest threats on the cyber-crime landscape, banking Trojans have been usurped in many parts of the world by ransomware in recent times. However, in Latin America particularly they still dominate a lot of cyber-crime activity.

In its 2020 report, ESET determined that there were 11 banking Trojan gangs operating in Latin America, and that these groups cooperated with each other. It came to this conclusion due to the many shared tactics, tools, and procedures used by the cyber criminals deploying banking Trojans in Latin America. 

Attack chain for recent activity

We did not observe what the initial infection vector was in this campaign, but it was likely a malicious URL spread via either spam email campaigns or through malvertising, which is typically the first step in Latin American banking Trojan campaigns. Victims are then directed to one of the following malicious URLs:

  • hxxps://centreldaconsulta[.]com/
  • hxxps://www.centralcfconsulta[.]net/
  • hxxps://centralcfconsulta[.]net/index3.php?api=vFUMIfUzGz2QdjxTFKAMyTlh
  • hxxps://
  • hxxps://www.centralcfconsulta[.]net/index3.php?api=r0ubnHRxDycEy5uFPViNA55Y3t
  • hxxps://www.centralcfconsulta[.]net/index3.php?api=4DQSbdp3hLqPRGTbOGtl7jCD9FKNViKXmKd9Lv
  • hxxps://centreldaconsulta[.]com/index3.php?api=nJsdr1J3h0fsG18sRAVQt6JjVW
  • hxxps://centreldaconsulta[.]com/index3.php?api=ThMyMCAQEOLIC9nO
  • hxxps://www.centralcfconsulta[.]net/index3.php?api=wen1eIFCeUh0jAS3mWIDUhSLt3sXMQ

Victims are then redirected to an Amazon Web Services (AWS) URL, which it appears the attackers abused to use as a command-and-control (C&C) server. A ZIP file that contains a Microsoft Software Installer (MSI) file is downloaded from the AWS infrastructure.

ESET reported that most gangs deploying banking Trojans in Latin America had started using MSI files as an initial download in 2019. An MSI file can be used to install, uninstall, and update applications running on Windows systems.

If the victim double-clicks the MSI file inside the downloaded ZIP, it will execute msiexec.exe, which then connects to a secondary C&C server to download another ZIP file containing the payload (mpr.dll), along with other legitimate portable executable (PE) files. The URLs observed being accessed by msiexec.exe included:

  • hxxp://13.36.240[.]208/ando998.002
  • hxxp://13.36.240[.]208/msftq.doge
  • hxxp://15.237.60[.]133/esperanca.lig2
  • hxxp://15.237.60[.]133/esperanca.liga
  • hxxp://52.47.163[.]237/microsft.crts
  • hxxp://52.47.163[.]237/nanananao.uooo
  • hxxp://15.237.27[.]77/carindodone.ways

The extracted ZIP file contains a renamed legitimate Oracle application - VBoxTray.exe. This is executed to load the payload (mpr.dll) by way of DLL search-order hijacking. DLL search-order hijacking takes advantage of how Windows handles DLLs to allow an attacker to load malicious code into a legitimate process. The mpr.dll file is also bigger than 100 MB in order to evade submission to security services, which tend not to process files above that size. Both of these files and this exact same process were observed in the banking Trojan activity detailed in ESET’s report.

Persistence is then created for the renamed VBoxTray.exe so that mpr.dll is always side-loaded into it by way of either Windows Registry or Windows Management Instrumentation (WMI). This is another common technique used in the attack chain for Latin American banking Trojans.

Stay alert for this activity

The various steps taken by the attackers behind this activity to evade detection - such as using a large file for the payload so that it won’t be scanned by security software, and leveraging legitimate processes and applications for malicious purposes - show that those behind this attack campaign are reasonably sophisticated actors. The number of organizations affected in this campaign also indicates that a large number of people are likely responsible for this activity - and it may be that more than one group is behind this activity. It could be a number of groups acting in a cooperative manner, as ESET said may be the approach taken by the various banking Trojan attack groups operating in Latin America.

While ransomware dominates much of the discussion on the cyber-crime landscape at the moment, it is important to remember it is not the only threat out there. Banking Trojans have the potential to be a costly problem for individuals and organizations, so people, especially those based in Latin America where this activity appears to be particularly prevalent, need to remain alert to this threat.

Simple steps, like ensuring you have multi-factor authentication enabled on all financial accounts, can help lessen the impact of threats like these.



  • Infostealer.Bancos

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IOCs)

IOC Description
ad6116abb88fd0383cf6f5a9f66a6ad8dda2be06bdc02a0fc071584689b69055 ZIP
0ee61e700ce0c71afe9bb2c8d7c253b560ddf535c3fd1f633b67e27f68731963 ZIP
35bbbe15471d45d7abb9300576eaee8f2f4d68d469b2cfc816342847e8f91db2 ZIP
cf7417c7dcaa27add45bfbba9984f40e0d11c24030a2036c44bd8591a54b4f8f ZIP
dee81a0164862d8be16e42177be61d78e82c8e903cbae3686c170b7a81e41f24 ZIP
e0c2ce9a2f7ae075e2fee6960af3c69c45fc41ce101499e5697599389a35cb85 ZIP
ff8897e5fff9f76bf8d84d478d476f5a9278cbe0a355781224b69c0a28ab4540 ZIP
b0c1c6ee59144ae7fbed50a4da8abf8a04510759699076728f2ccfa45ac6fa37 ZIP
0cb4baaaad8751fe293739ddd874437b5b3c6e4ad72747bb9327db6cc74317a8 ZIP
1f6bc4e5c07c3c74764581f1b35c401a5857228a15948402a9bde765d6d58cb3 ZIP
2b85c92db126e93658f2e74da11b3a0ca8001a4f33f293b0e796d952c8d543d9 MSI
52c8236da569e448127dd0735943ae8ad16428e026883c78aae6b0853efc7ece MSI
7cf033b0d80e07c2b5b0675c8aa09a3b3108135b9b2e1d053d52f19964eebc7d MSI
8240909d109da9fd2969ff56bf64a8d75de256539dc825c0c5739b7dc57d5eb5 MSI
8cf0b8b993bba3b1aa3b4b7980d9d784b048dd45c47699a0e04121dd89f2152e MSI
9aeb864a3e587bee375c20eb953750c62ecd58d8f7c1feb2212d3d027c74232f MSI
b2c317529c7f95db85867bce6085878ed8db7bdb89f6283708b4261f73808b95 MSI
cd66d3f21ec3d4751df942e057e4cad548922f02a9d2253e402b5f7d878b3a39 MSI
cfe570c69f1794e9c6c950761f6f2cc1b553d53c82563982850ef8cb77442b35 MSI
d5bb070c69c88f3e8de09d17c77dd57bad9adde8c03d625f4497d3a4bcc8892e MSI
feb86261d3d6551d92fc1e5554f22a1e9aeece4b5ed5737587580613b6a1d55d mpr.dll
e118e0898e000e10c26376d73f5571e2b185c2c4789ed9b5d36bce166dc1dd17 mpr.dll
5ee4719fc1be0238875ad3d79260d09677bf110b4add8057d767e34b5a3d716d mpr.dll
2081f9406af8936ff0c638df9191da763848bea0aae328c54f8e18419d9cd0df mpr.dll
86bb40de9a98c277d29a677b1c1a54f88741ebe9418e7354ec65519102703fb9 mpr.dll
160500920795f38338d2fa12be80fb7a52d804c3d843626832a42c93bd4d28ee mpr.dll
61c0e242c7a959dd673a4abded8a47ab02b919319666d9e81f9ac213a08fc90e mpr.dll
993017c033afb58545d0f5d76288d54bf008cfbc10e19794a152adf3b59f5fbf mpr.dll
c01cf8ad6e85743ed687e131b53b90e8cee72d20b50f7faebd7ac793df1d1c1d mpr.dll
2bb4f701a97222d52af5623dba6cd61cae37527a2dd866fe246bbb2f55bdceb4 mpr.dll
5516bfffad1229f65bee736bec6f121abcddab8b5f673d98836e9d68c67c8194 mpr.dll
939cdcfdd19b78ad35d1cad2af8baf31413d180639bb0022eb0796c82fcc64ef mpr.dll
5e54d306f17f39b78ccc79cc19c12b0ff3ba1ea4e0785b58f9ff55e8b5578a07 mpr.dll
a1e414d88df22263827233fc65fc8e4114ded43b8d14bd1c09956d834eba525e mpr.dll
hxxps://centreldaconsulta[.]com/ URL
hxxps://www.centralcfconsulta[.]net/ URL
hxxps://centralcfconsulta[.]net/index3.php?api=vFUMIfUzGz2QdjxTFKAMyTlh URL
hxxps://centralcfconsulta[.]net/ URL
hxxps://www.centralcfconsulta[.]net/index3.php?api=r0ubnHRxDycEy5uFPViNA55Y3t URL
hxxps://www.centralcfconsulta[.]net/index3.php?api=4DQSbdp3hLqPRGTbOGtl7jCD9FKNViKXmKd9Lv URL
hxxps://centreldaconsulta[.]com/index3.php?api=nJsdr1J3h0fsG18sRAVQt6JjVW URL
hxxps://centreldaconsulta[.]com/index3.php?api=ThMyMCAQEOLIC9nO URL
hxxps://www.centralcfconsulta[.]net/index3.php?api=wen1eIFCeUh0jAS3mWIDUhSLt3sXMQ URL
hxxp://13.36.240[.]208/ando998.002 URL
hxxp://13.36.240[.]208/msftq.doge URL
hxxp://15.237.60[.]133/esperanca.lig2 URL
hxxp://15.237.60[.]133/esperanca.liga URL
hxxp://52.47.163[.]237/microsft.crts URL
hxxp://52.47.163[.]237/nanananao.uooo URL
hxxp://15.237.27[.]77/carindodone.ways URL

About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.