Trend Micro analyzed a fileless malware with multiple .BAT attachments and a batch file from IoCs reported by researchers online that was capable of opening an IP address, downloading a PowerShell with a banking trojan payload, and installing a hack tool and an information stealer. Looking further, we observed it stealing machine information and user credentials, scanning for strings related to three specific Brazilian banks (Banco Bradesco, Banco do Brasil, and Sicredi) and other possible network connections via saved Outlook contacts, and installing the hack tool RADMIN. Our telemetry showed the highest infection attempts in Brazil and Taiwan.
Aside from accessing users’ banking accounts, the stolen PII gathered from the visited websites and recorded machine credentials can be further abused or sold. Also, considering the wide financial services and customer bases of these three targeted banks, we are following this developing threat as it can be used for bigger botnet or mass-mailed targeted attacks.
Source: Trend Micro