Cofense Logo - Email Security Solutions

Another wave of Brazilian malspam leads to banking trojan

Share Now


In October of 2017 we blogged about a phishing campaign specifically targeting Brazilian Portuguese- speaking users.

Back then, the campaign distributed a malicious Chrome browser extension. More recently, we have observed a wave of emails that have remarkably similar characteristics. This time around, the malware of choice is a banking trojan.

In the image below, we see an email suggesting that it delivers a resume from a job-seeker. This message content may seem familiar as it has same characteristics we saw in the emails distributing the malicious Chrome extension. Each message contains a photograph of a woman with an identical text in both campaigns.

Cofense Intelligence - Real-time phishing threat intelligence to prevent and respond to phishing attacks

Cofense Triage - Automated Phishing Incident Response Platform

Image 1: Mail message received by users

The message presents two links abusing the URL shortening service. One points to the photograph that is shown in the message and the other enables the download of the malware. An analysis of the downloads made through these links, using the tools provided by the URL shortener service provider, reveals the impact by country.
Cofense Triage - Automated Phishing Incident Response Platform

Cofense Reporter - Phishing Reporting Tool for EmployeesImage 2: Saturation of visits to shortened phishing URL by country

Different shortened links were used in each wave of messages sent by these phishers. These URL shorteners usually point to a redirector, which in turn leads to the link that serves the first phase of the malware.

Sample redirector:


First malware stage:


This link provides victims with a ZIP archive. Inside, is the malware responsible for downloading the next stage.


MD5: 17893B7BDE7C12BE81957DFA0179CAE7

SHA256: 1B2D13A8A6D8F9FB46892A1497A3408A57BC0BB575DFDE2866B3B203EAFA9129

Size: 17,200 bytes

Filename: CURRICx002017.exe

MD5: CCA79892602584CAD97EF588052BC8AF

SHA256: 09EC7EF8A22CA694186A2CEF068B75EECED4FB82A217B01A0773CD809878FC10

Size: 38,912 bytes

Upon execution, this malware pretends to be an instance of the Adobe Reader application. Meanwhile, in the background, the malware downloads its next component.

Phishing email alert - CofensePhishing email alert - Cofense

Image 3: Window shown by the first stage executable

The next component is a VBS script, downloaded through an HTTP request to the following  URL:


Phishing email alert - CofensePhishing email alert - Cofense

Image 4: Second stage encoded VBS script

Once deobfuscated, this script demonstrates the ability to perform a number of system inspection operations. These checks are performed to determine whether the machine is considered suitable to the attacker.

Phishing email example - CofensePhishing email sample - Cofense

Image 5: Code used to detect the presence of virtualization

The script is designed to detect the language of the system. It also checks whether the machine is virtualized. These checks are performed as a means of evading analysis as well as to ensure the attack impacts computers that suit their preferences and needs. The malware will only continue with its execution if no virtualization has been found and the language is Portuguese (Brazil).

Phishing email sample - CofensePhishing email sample - Cofense

Image 6: Code used to detect the system language settings

The final result is the download of a last stage component from the following URL:


This component is a ZIP archive of names with a “.klu” extension:

Filename: shta.klu

MD5: 5525ED000EFE72910D3DC7F7FAEA1912

SHA256: 603CB8DE20803CC7E97643FAB4B50A709F9E9FC21F822EF2D1D7F5ABD8B751CA

Size: 232,875 bytes

Which contains the following file:

Filename: sht

MD5: 634F7F1262D71DAAE5890CC36AFF6952

SHA256: EE169075E79A5BFB9BA2BA13217484516E910652FDDD07768382EFE17615C724

Size: 275,456 bytes

This is a 32BIT DLL file written in DELPHI. Its initialization code is not present in the DllEntryPoint procedure. Instead, the DLL exports a function with the name SHTE443G11, which the previous component calls to continue with the infection process. Upon execution, it makes various requests to its control panel:



It is noteworthy that manual access to these links show us a “suspended account” page. In spite of this, the malicious components are present and downloaded without problems. This indicates that the “suspended account” message may be an intended decoy to mislead researchers.

Phishing email sample - CofensePhishing email sample - Cofense

Image 7: Manually accessing the control panel

The process concludes with the installation in the system of this latest component, creating the following structure on the user’s PUBLIC folder.

Phishing email sample - CofensePhishing email sample - Cofense

Image 8: Structure of malware files installed on the system

The threat actors have developed a complex system consisting of multiple stages for downloading their malware. The campaign is addressed only to users based in Brazil, not only for the content of the message but also the different checks that their authors have placed in the different phases.

This campaign’s coincidences, like ones we have revealed in the past, underscore that cyber criminals employ different malware families in their different campaigns.

Sign up for free threat alerts from PhishMe Intelligence™ and PhishMe® Research.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.