Users in Brazil are the target of a new banking trojan known as CHAVECLOAK that’s propagated via phishing emails bearing PDF attachments.

“This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware,” Fortinet FortiGuard Labs researcher Cara Lin said.

The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents.

In reality, clicking the button leads to the retrieval of an installer file from a remote link that’s shortened using the Goo.su URL shortening service.

Present within the installer is an executable named “Lightshot.exe” that leverages DLL side-loading to load “Lightshot.dll,” which is the CHAVECLOAK malware that facilitates the theft of sensitive information.

This includes gathering system metadata and running checks to determine whether the compromised machine is located in Brazil and, if so, periodically monitoring the foreground window to compare it against a predefined list of bank-related strings.

If it matches, a connection is established with a command-and-control (C2) server and proceeds to harvest various kinds of information and exfiltrate them to distinct endpoints on the server depending on the financial institution.

“The malware facilitates various actions to steal a victim’s credentials, such as allowing the operator to block the victim’s screen, log keystrokes, and display deceptive pop-up windows,” Lin said.

“The malware actively monitors the victim’s access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both traditional banking and cryptocurrency platforms.”

Fortinet said it also uncovered a Delphi variant of CHAVECLOAK, once again highlighting the prevalence of Delphi-based malware targeting Latin America.

“The emergence of the CHAVECLOAK banking Trojan underscores the evolving landscape of cyberthreats targeting the financial sector, specifically focusing on users in Brazil,” Lin concluded.

The findings come amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that entails using smishing and vishing (i.e., SMS and voice phishing) tactics to deploy an Android malware called Copybara with the goal of performing unauthorized banking transfers to a network of bank accounts operated by money mules.

“TAs [Threat actors] have been caught using a structured way of managing all the ongoing phishing campaigns via a centralized web panel known as ‘Mr. Robot,'” Cleafy said in a report published last week.

“With this panel, TAs can enable and manage multiple phishing campaigns (against different financial institutions) based on their needs.”

The C2 framework also allows attackers to orchestrate tailored attacks on distinct financial institutions using phishing kits that are engineered to mimic the user interface of the targeted entity, while also adopting anti-detection methods via geofencing and device fingerprinting to limit connections only from mobile devices.

The phishing kit – which serves as a fake login page – is responsible for capturing retail banking customer credentials and phone numbers and sending the details to a Telegram group.

Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.

It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android’s accessibility services, and intercepting SMS messages.

On top of that, JOKER RAT comes with an APK builder that makes it possible to customize the rogue app’s name, package name, and icons.

“Another feature available inside the panel is the ‘Push Notification,’ probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank’s app in such a way that the malware can steal credentials,” Cleafy researchers Francesco Iubatti and Federico Valentini said.

The growing sophistication of on-device fraud (ODF) schemes is further evidenced by a recently disclosed TeaBot (aka Anatsa) campaign that managed to infiltrate the Google Play Store under the guise of PDF reader apps.

“This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages,” Iubatti said. “Before downloading the banking trojan, the dropper performs advanced evasion techniques, including obfuscation and file deletion, alongside multiple checks about the victim countries.”