Malvertising Campaign Targets Brazil’s PIX Payment System with GoPIX Malware

GoPIX Malware

The popularity of Brazil PIX The instant payment system makes it a lucrative target for threat actors looking to generate ill-gotten gains using a new malware called GoPIX.

Kaspersky, which has been tracking the active campaign since December 2022, said that the attacks were carried out using malicious ads that were served when potential victims searched for “WhatsApp web” in search engines.

“Cybercriminals use malvertising: their links are placed in the ad section of search results, so the user sees them first,” the Russian cybersecurity vendor SAYS. “When they click on such a link, a redirect follows, with the user ending up on the malware’s landing page.”

As observed in other malvertising campaigns recently, users who click on the ad are redirected through a cloaking service aimed at filtering out sandboxes, bots, etc. considered real victims.

This is done by using a legitimate fraud prevention solution known as IPQualityScore to determine whether the site visitor is a human or a bot. Users who pass the check are shown a fake WhatsApp download page to trick them into downloading a malicious installer.

In an interesting twist, the malware can be downloaded from two different URLs depending on whether port 27275 is open on the user’s machine.


“This port is used by Avast secure banking software,” Kaspersky explained. “If this software is detected, a ZIP file will be downloaded containing an LNK file embedding an obfuscated PowerShell script that downloads the next stage.”

If the port is closed, the NSIS installer package will be downloaded directly. This indicates that additional guardrails are clearly in place to bypass security software and deliver malware.

The main purpose of the installer is to extract and launch the GoPIX malware using a technique called excavation process by starting with svchost.exe The Windows system process is in a suspended state and injects its payload.

GoPIX acts as a clipboard stealer malware that hijacks PIX payment requests and replaces them with an attacker-controlled PIX string, extracted from the command-and-control (C2) server.

“The malware also supports changing Bitcoin and Ethereum wallet addresses,” Kaspersky said. “However, this is hardcoded into the malware and is not removed from the C2. The GoPIX can also receive C2 commands, but this is only related to removing malware from the machine.”

This is not the only campaign to target users who search for messaging apps such as WhatsApp and Telegram in search engines.

In a new set of attacks concentrated in the Hong Kong region, fake ads in Google search results were found to redirect users to fraudulent-looking pages which encourages users to scan a QR code to connect their devices.

“The issue here is that the QR code you’re scanning is from a malicious site that has nothing to do with WhatsApp,” Jérôme Segura, director of threat intelligence at Malwarebytes, SAYS in a Tuesday report.

As a result, the threat actor’s device will be linked to the victim’s WhatsApp accounts, giving the malicious party complete access to their chat histories and saved contacts.

Malwarebytes said it also discovered a similar campaign that used Telegram as a lure to lure users into downloading a fake installer from a Google Docs page containing the content. malware injector.

The development comes as Proofpoint unveils a new version of the Brazilian bank Trojan Victims in Mexico and Spain were called Grandoreiro, describing the activity as “unusual in frequency and volume.”


The business security company has attributed the campaign of a threat actor it tracked as TA2725, known for using Brazilian banking malware and phishing to target various entities in Brazil and Mexico.

The targeting of Spain points to a trend of Latin American-focused malware increasingly turning their sights on Europe. In May, SentinelOne uncovered a long-running campaign by a Brazilian threat actor to target more than 30 Portuguese banks with malware.

Meanwhile, information thieves are thriving in the cybercrime economy, with crimeware authors flooding the underground market with malware-as-a-service (MaaS) offerings that give cybercriminals a convenient and cost-effective way to conduct attacks.

Additionally, such tools lower the barrier to entry for aspiring threat actors who may lack technical expertise themselves.

The latest to join the stealer ecosystem is Lumar, which was first advertised by a user named Collector on cybercrime forums, marketing its capabilities to capture Telegram sessions, harvest cookies on browser and passwords, extracting files, and extracting data from crypto wallets.

“Despite having all these functions, the malware is small in terms of size (only 50 KB), which is partly due to the fact that it is written in C,” said Kaspersky.

“Emerging malware is often advertised on the dark web among less skilled criminals, and distributed as MaaS, allowing its authors to get rich quickly and repeatedly endanger the legitimate organization.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment