Trusted Design

EngineBox Malware Supports 10+ Brazilian Banks - SANS Internet Storm Center

概要

After receiving quite a big amount of malspam with similar messages in my honeypots this week, I decided to dedicate some time to analyze what it was about. To my surprise, after peeling multiple encoding layers protecting the malware’s core (felt like peeling an onion), I could finally find a sophisticated and well structured banker malware capable of stealing victims' credentials of at least 10 of the biggest Brazilian public and private banks and other financial institutions. Additionally, it can also steal browser, SSH and FTP local stored credentials. The main malware capabilities include a privilege escalation attempt using MS16–032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a "Generic Trojan" by most of VirusTotal (VT) engines, let's name it "EngineBox"— the core malware class I saw after reverse engineering it.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

• ESET | Malicious scripts gaining prevalence in Brazil (score: 0.67)
• Banking Trojan Escelar Infects Thousands In Brazil and the US (score: 0.65)
• Ramnit – in-depth analysis (score: 0.64)
• Avast: The evolution of the Retefe banking Trojan (score: 0.64)
• Blurring of Commodity and Targeted Attack Malware (score: 0.64)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る