⚠️ Overview

Bancos is a family of banking trojans first documented in 2012 by Kaspersky Lab, predominantly targeting financial institutions in Brazil and other Latin American countries. Categorised as a information stealer and keylogger, it is attributed to Portuguese-speaking cybercriminal groups operating under the umbrella of the "Banload" or "Bancos" malware-as-a-service ecosystem.

🔧 Technical Capabilities

Bancos trojans propagate via malicious email attachments, exploit kits (e.g., Angler, Rig), and drive-by downloads. Once executed, it injects code into browser processes using AppInit_DLLs or SetWindowsHookEx for keystroke logging and form grabbing. It employs a custom command-and-control (C2) protocol over HTTP with encrypted payloads; C2 servers are often hosted on compromised WordPress sites. Persistence is achieved via registry run keys and scheduled tasks. Evasion includes obfuscation through packers (UPX, ASPack) and dynamic API resolution to bypass static detection. It also kills competing malware and terminates security software processes.

📜 History & Notable Incidents

First observed in 2012, Bancos variants surged in 2015–2016 targeting Banco do Brasil, Caixa Econômica Federal, and Bradesco customers. In 2017, a variant named Bancos-G exploited CVE-2017-0199 (Microsoft Office RCE) via malicious RTF documents. Law enforcement actions include the 2016 "Operation Viper" by Brazilian Federal Police, which arrested several operators linked to the family.

🔍 Detection Indicators

Indicators of compromise (IOCs) include file hashes such as MD5 e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6 (common variant) and persistence via registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunBancos. Network IOCs feature User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" and C2 domains using .com.br TLDs. Behavioral signatures include hooking of NtWriteVirtualMemory and NtUserGetMessage.

☠️ Risk & Impact

Bancos causes direct financial theft by intercepting online banking credentials and performing automatic transfers. A 2018 report by the Brazilian Federation of Banks estimated losses of over $50 million attributable to this family. Affected sectors are primarily retail banking and e-commerce in Brazil, with spillover into Mexico and Peru.

🛡️ Mitigation

Defenders should enable application control to block unsigned binaries, deploy endpoint detection rules for process injection (MITRE ATT&CK T1055), and implement network monitoring for suspicious HTTP C2 traffic. Keep Office software patched against CVE-2017-0199 and use web filtering to block known exploit kit domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.