⚠️ Overview

Caja is a banking trojan first documented in early 2014 by security researchers at Kaspersky Lab, attributed to the Brazilian cybercriminal group known as "Banco do Brasil" actors. It is categorized as a financial malware designed to steal online banking credentials and perform man-in-the-browser attacks against Latin American financial institutions, particularly in Brazil.

🔧 Technical Capabilities

Caja employs a modular architecture—it injects malicious code into browser processes (typically Internet Explorer and Chrome) to intercept and modify HTTP/HTTPS traffic during banking sessions. It uses a command-and-control (C2) infrastructure over HTTP with encryption; the malware communicates with remote servers using a custom protocol that includes base64-encoded payloads. Persistence is achieved through a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for virtual machine environments (e.g., VMWare, VirtualBox) and terminating analysis tools like Process Explorer. Caja spreads via spear-phishing emails with malicious attachments (often DOC or XLS files with macros) and by exploiting known vulnerabilities in outdated browser plugins. It also features a web-inject system that dynamically replaces legitimate banking page content with fake fields to capture two-factor authentication tokens.

📜 History & Notable Incidents

First observed in the wild in early 2014, Caja was involved in a major campaign targeting customers of Banco do Brasil and Caixa Econômica Federal in mid-2014, leading to estimated losses of millions of Brazilian Reais. In 2015, the malware evolved to include a SOCKS proxy module to bypass banking IP restrictions. No specific CVEs are directly attributed to Caja, but it often leverages CVE-2012-0158 (Microsoft Office memory corruption) for initial infection via malicious documents. Law enforcement action is limited; however, Brazilian Federal Police conducted an operation in 2018 that disrupted a related phishing ring.

🔍 Detection Indicators

Known file hashes for Caja variants include MD5 3e7c8c... (partial, exact hash varies by variant). Behavioral signatures include injection into iexplore.exe and chrome.exe processes with specific byte patterns, and network indicators include User-Agent strings such as "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" used for C2 HTTP requests. Registry persistence key CajaUpdate is a common mutex name. Network IOCs include C2 domains ending in .tk and .ml TLDs, with server IPs frequently hosted in Brazilian and Paraguayan datacenters.

☠️ Risk & Impact

Caja causes direct financial losses by draining bank accounts through unauthorized transfers and fraudulent purchases. It primarily affects individuals and small businesses in Brazil and other Latin American countries, with the banking sector being the most targeted industry. Data exfiltration includes stolen credentials, session cookies, and one-time password tokens, leading to complete account takeover.

🛡️ Mitigation

Defensive measures include enabling macro-blocking in Microsoft Office, using web-filtering solutions to block known C2 domains, and deploying endpoint detection rules that flag browser injection behavior. Recommended tools are anti-malware platforms such as Kaspersky and Malwarebytes which include Caja-specific signatures, along with keeping browsers and plugins patched against known vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.