Trusted Design

Banking Trojan Escelar Infects Thousands In Brazil and the US

概要

Unit 42 for the past three months has been tracking a banking Trojan targeting victims in Brazil and the United States. Escelar originally surfaced in January of this year, and has since had roughly 100,000 instances of attempted infections. Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks. Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers. These SQL servers are also used for command and control (C2) functionality. The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame. The malware is able to control banking transactions conducted using Internet Explorer, and harvest email credentials, which are in turn used to spread the malware further.

Created: 2026-02-23

Indicators

類似Pulses

ESET | Malicious scripts gaining prevalence in Brazil (score: 0.65)
EngineBox Malware Supports 10+ Brazilian Banks - SANS Internet Storm Center (score: 0.65)
Avast: The evolution of the Retefe banking Trojan (score: 0.61)
Banking Trojan Attempts To Steal Brazillion$ (score: 0.60)
Colombians major target of email campaigns delivering Xtreme RAT (score: 0.60)

このPulseに関連する脅威アクター (事実ベース)

Scattered Spider

Score: 21.07

Matched TTPs:

T1666 - Modify Cloud Resource Hierarchy
T1560.003 - Archive via Custom Method
T1218.015 - Electron Applications
T1136.002 - Domain Account
T1083 - File and Directory Discovery
T1197 - BITS Jobs

MITREへのリンク →

FIN4

Score: 4.13

Matched TTPs:

T1666 - Modify Cloud Resource Hierarchy

MITREへのリンク →

Mustard Tempest

Score: 6.51

Matched TTPs:

T1682 - Query Public AI Services
T1091 - Replication Through Removable Media

MITREへのリンク →

APT41

Score: 14.06

Matched TTPs:

T1560.003 - Archive via Custom Method
T1140 - Deobfuscate/Decode Files or Information
T1059.008 - Network Device CLI
T1027.007 - Dynamic API Resolution
T1008 - Fallback Channels

MITREへのリンク →

TA505

Score: 7.72

Matched TTPs:

T1560.003 - Archive via Custom Method
T1091 - Replication Through Removable Media
T1136.002 - Domain Account

MITREへのリンク →

Volt Typhoon

Score: 17.93

Matched TTPs:

T1560.003 - Archive via Custom Method
T1140 - Deobfuscate/Decode Files or Information
T1083 - File and Directory Discovery
T1584.002 - DNS Server
T1546.016 - Installer Packages
T1578.001 - Create Snapshot

MITREへのリンク →

APT3

Score: 6.91

Matched TTPs:

T1560.003 - Archive via Custom Method
T1059.008 - Network Device CLI

MITREへのリンク →

FIN13

Score: 6.85

Matched TTPs:

T1560.003 - Archive via Custom Method
T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

OilRig

Score: 22.22

Matched TTPs:

T1552.005 - Cloud Instance Metadata API
T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1005 - Data from Local System
T1592.002 - Software
T1556.009 - Conditional Access Policies
T1547.008 - LSASS Driver

MITREへのリンク →

Gamaredon Group

Score: 10.52

Matched TTPs:

T1552.005 - Cloud Instance Metadata API
T1091 - Replication Through Removable Media
T1612 - Build Image on Host
T1547.002 - Authentication Package

MITREへのリンク →

APT28

Score: 15.06

Matched TTPs:

T1552.005 - Cloud Instance Metadata API
T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1197 - BITS Jobs
T1566.003 - Spearphishing via Service

MITREへのリンク →

Turla

Score: 24.81

Matched TTPs:

T1552.005 - Cloud Instance Metadata API
T1606.002 - SAML Tokens
T1136.002 - Domain Account
T1612 - Build Image on Host
T1547.002 - Authentication Package
T1556.009 - Conditional Access Policies
T1546.016 - Installer Packages
T1578.001 - Create Snapshot
T1490 - Inhibit System Recovery

MITREへのリンク →

Kimsuky

Score: 20.07

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1027.014 - Polymorphic Code
T1547.002 - Authentication Package
T1197 - BITS Jobs
T1008 - Fallback Channels
T1490 - Inhibit System Recovery

MITREへのリンク →

Moonstone Sleet

Score: 12.43

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1197 - BITS Jobs
T1027.007 - Dynamic API Resolution
T1547.008 - LSASS Driver

MITREへのリンク →

Indrik Spider

Score: 4.93

Matched TTPs:

T1606.002 - SAML Tokens
T1546.016 - Installer Packages

MITREへのリンク →

Lazarus Group

Score: 28.36

Matched TTPs:

T1606.002 - SAML Tokens
T1677 - Poisoned Pipeline Execution
T1059.008 - Network Device CLI
T1069.001 - Local Groups
T1547.002 - Authentication Package
T1546.016 - Installer Packages
T1055.005 - Thread Local Storage
T1578.001 - Create Snapshot
T1547.008 - LSASS Driver

MITREへのリンク →

Contagious Interview

Score: 10.72

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1021.006 - Windows Remote Management
T1547.008 - LSASS Driver

MITREへのリンク →

UNC3886

Score: 12.75

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1021.006 - Windows Remote Management
T1136.002 - Domain Account
T1578.001 - Create Snapshot

MITREへのリンク →

LuminousMoth

Score: 6.53

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1136.002 - Domain Account

MITREへのリンク →

Sandworm Team

Score: 14.61

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1005 - Data from Local System
T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1546.016 - Installer Packages

MITREへのリンク →

Salt Typhoon

Score: 3.57

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

APT29

Score: 12.60

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1592.004 - Client Configurations
T1547.008 - LSASS Driver
T1490 - Inhibit System Recovery

MITREへのリンク →

Play

Score: 6.23

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1490 - Inhibit System Recovery

MITREへのリンク →

RedCurl

Score: 4.62

Matched TTPs:

T1606.002 - SAML Tokens
T1612 - Build Image on Host

MITREへのリンク →

Moses Staff

Score: 3.57

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Ke3chang

Score: 9.59

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1102.002 - Bidirectional Communication
T1027.007 - Dynamic API Resolution

MITREへのリンク →

Mustang Panda

Score: 14.35

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1677 - Poisoned Pipeline Execution
T1612 - Build Image on Host
T1055.005 - Thread Local Storage

MITREへのリンク →

TeamTNT

Score: 6.59

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1612 - Build Image on Host

MITREへのリンク →

FIN7

Score: 20.13

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1011.001 - Exfiltration Over Bluetooth
T1547.002 - Authentication Package
T1027.007 - Dynamic API Resolution
T1578.001 - Create Snapshot
T1490 - Inhibit System Recovery

MITREへのリンク →

TA2541

Score: 4.43

Matched TTPs:

T1091 - Replication Through Removable Media
T1136.002 - Domain Account

MITREへのリンク →

Earth Lusca

Score: 8.73

Matched TTPs:

T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account
T1546.016 - Installer Packages

MITREへのリンク →

LazyScripter

Score: 6.95

Matched TTPs:

T1091 - Replication Through Removable Media
T1136.002 - Domain Account
T1612 - Build Image on Host

MITREへのリンク →

Threat Group-3390

Score: 3.44

Matched TTPs:

T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

SideCopy

Score: 6.11

Matched TTPs:

T1091 - Replication Through Removable Media
T1584.002 - DNS Server

MITREへのリンク →

BlackByte

Score: 9.46

Matched TTPs:

T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1102.002 - Bidirectional Communication
T1027.007 - Dynamic API Resolution

MITREへのリンク →

APT32

Score: 16.15

Matched TTPs:

T1091 - Replication Through Removable Media
T1592.004 - Client Configurations
T1612 - Build Image on Host
T1027.014 - Polymorphic Code
T1027.007 - Dynamic API Resolution
T1490 - Inhibit System Recovery

MITREへのリンク →

HEXANE

Score: 4.37

Matched TTPs:

T1091 - Replication Through Removable Media
T1547.002 - Authentication Package

MITREへのリンク →

EXOTIC LILY

Score: 7.02

Matched TTPs:

T1091 - Replication Through Removable Media
T1612 - Build Image on Host
T1547.008 - LSASS Driver

MITREへのリンク →

APT42

Score: 8.12

Matched TTPs:

T1091 - Replication Through Removable Media
T1677 - Poisoned Pipeline Execution
T1612 - Build Image on Host

MITREへのリンク →

Ember Bear

Score: 7.77

Matched TTPs:

T1005 - Data from Local System
T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account

MITREへのリンク →

Rocke

Score: 7.28

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1612 - Build Image on Host
T1008 - Fallback Channels

MITREへのリンク →

BackdoorDiplomacy

Score: 3.93

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account

MITREへのリンク →

Magic Hound

Score: 6.39

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1547.008 - LSASS Driver

MITREへのリンク →

Medusa Group

Score: 3.87

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1027.007 - Dynamic API Resolution

MITREへのリンク →

Sea Turtle

Score: 4.14

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1490 - Inhibit System Recovery

MITREへのリンク →

Storm-0501

Score: 11.97

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1218.015 - Electron Applications
T1027.014 - Polymorphic Code
T1102.002 - Bidirectional Communication

MITREへのリンク →

Fox Kitten

Score: 3.99

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1612 - Build Image on Host

MITREへのリンク →

ToddyCat

Score: 3.99

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.008 - LSASS Driver

MITREへのリンク →

Blue Mockingbird

Score: 6.61

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1027.014 - Polymorphic Code
T1027.007 - Dynamic API Resolution

MITREへのリンク →

Leviathan

Score: 7.05

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1027.014 - Polymorphic Code
T1546.016 - Installer Packages

MITREへのリンク →

INC Ransom

Score: 7.49

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1083 - File and Directory Discovery
T1027.007 - Dynamic API Resolution

MITREへのリンク →

Dragonfly

Score: 4.30

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1546.016 - Installer Packages

MITREへのリンク →

Axiom

Score: 6.01

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1160 - Launch Daemon

MITREへのリンク →

HAFNIUM

Score: 4.14

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1490 - Inhibit System Recovery

MITREへのリンク →

APT5

Score: 5.09

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1677 - Poisoned Pipeline Execution

MITREへのリンク →

MuddyWater

Score: 7.49

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1059.008 - Network Device CLI
T1547.002 - Authentication Package

MITREへのリンク →

APT39

Score: 6.27

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1027.007 - Dynamic API Resolution

MITREへのリンク →

BRONZE BUTLER

Score: 9.72

Matched TTPs:

T1592.004 - Client Configurations
T1578.001 - Create Snapshot
T1008 - Fallback Channels

MITREへのリンク →

Wizard Spider

Score: 9.64

Matched TTPs:

T1083 - File and Directory Discovery
T1556.009 - Conditional Access Policies
T1027.007 - Dynamic API Resolution

MITREへのリンク →

Inception

Score: 5.27

Matched TTPs:

T1612 - Build Image on Host
T1027.014 - Polymorphic Code

MITREへのリンク →

FIN6

Score: 7.44

Matched TTPs:

T1612 - Build Image on Host
T1027.007 - Dynamic API Resolution
T1547.008 - LSASS Driver

MITREへのリンク →

ZIRCONIUM

Score: 8.43

Matched TTPs:

T1547.002 - Authentication Package
T1197 - BITS Jobs
T1578.001 - Create Snapshot

MITREへのリンク →

Malteiro

Score: 3.62

Matched TTPs:

T1102.002 - Bidirectional Communication

MITREへのリンク →

Stealth Falcon

Score: 3.62

Matched TTPs:

T1556.009 - Conditional Access Policies

MITREへのリンク →

Chimera

Score: 4.99

Matched TTPs:

T1027.007 - Dynamic API Resolution
T1578.001 - Create Snapshot

MITREへのリンク →

Velvet Ant

Score: 9.20

Matched TTPs:

T1027.007 - Dynamic API Resolution
T1490 - Inhibit System Recovery
T1566.003 - Spearphishing via Service

MITREへのリンク →

CURIUM

Score: 5.12

Matched TTPs:

T1578.001 - Create Snapshot
T1547.008 - LSASS Driver

MITREへのリンク →

RTM

Score: 3.29

Matched TTPs:

T1008 - Fallback Channels

MITREへのリンク →

Patchwork

Score: 3.29

Matched TTPs:

T1008 - Fallback Channels

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Lazarus Group

Score: 0.79

Matched TTPs:

T1677 - Poisoned Pipeline Execution
T1606.002 - SAML Tokens
T1546.016 - Installer Packages
T1547.008 - LSASS Driver
T1055.005 - Thread Local Storage
T1059.008 - Network Device CLI
T1069.001 - Local Groups
T1547.002 - Authentication Package
T1578.001 - Create Snapshot

MITREへのリンク →

Turla

Score: 0.75

Matched TTPs:

T1606.002 - SAML Tokens
T1612 - Build Image on Host
T1546.016 - Installer Packages
T1552.005 - Cloud Instance Metadata API
T1136.002 - Domain Account
T1490 - Inhibit System Recovery
T1556.009 - Conditional Access Policies
T1547.002 - Authentication Package
T1578.001 - Create Snapshot

MITREへのリンク →

FIN7

Score: 0.64

Matched TTPs:

T1606.002 - SAML Tokens
T1011.001 - Exfiltration Over Bluetooth
T1091 - Replication Through Removable Media
T1027.007 - Dynamic API Resolution
T1490 - Inhibit System Recovery
T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1578.001 - Create Snapshot

MITREへのリンク →

Scattered Spider

Score: 0.63

Matched TTPs:

T1666 - Modify Cloud Resource Hierarchy
T1197 - BITS Jobs
T1560.003 - Archive via Custom Method
T1083 - File and Directory Discovery
T1136.002 - Domain Account
T1218.015 - Electron Applications

MITREへのリンク →

OilRig

Score: 0.61

Matched TTPs:

T1592.002 - Software
T1606.002 - SAML Tokens
T1005 - Data from Local System
T1547.008 - LSASS Driver
T1552.005 - Cloud Instance Metadata API
T1091 - Replication Through Removable Media
T1556.009 - Conditional Access Policies

MITREへのリンク →

Kimsuky

Score: 0.56

Matched TTPs:

T1606.002 - SAML Tokens
T1197 - BITS Jobs
T1091 - Replication Through Removable Media
T1490 - Inhibit System Recovery
T1140 - Deobfuscate/Decode Files or Information
T1027.014 - Polymorphic Code
T1008 - Fallback Channels
T1547.002 - Authentication Package

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る