⚠️ Overview

Caminho is a banking trojan first documented by Kaspersky in 2019, primarily targeting users in Brazil and other Portuguese-speaking regions by masquerading as legitimate financial applications. It belongs to the category of information-stealing malware, specifically a banking trojan that captures credentials and session tokens to facilitate fraudulent transactions. The threat actor behind Caminho, tracked as the "Caminho Team," operates as a malware-as-a-service (MaaS) operation, offering the trojan to affiliates via underground forums.

🔧 Technical Capabilities

Caminho employs web injection and form-grabbing techniques to steal login credentials and two-factor authentication tokens from over 40 Brazilian banks and financial institutions. It uses a modular architecture with plug-ins for keylogging, screen capturing, and remote command execution delivered through a centralized command-and-control (C2) server. The malware spreads via phishing emails with malicious attachments (often disguised as PDFs or Word documents) and fake software updates hosted on compromised websites. Persistence is achieved by dropping a scheduled task or modifying the Windows registry Run key. Evasion techniques include anti-debugging checks, code obfuscation, and the use of encrypted communication channels over HTTPS with certificate pinning to avoid interception.

📜 History & Notable Incidents

Caminho first appeared in mid-2019, with Kaspersky's analysis revealing that the trojan targeted Brazilian accounts of Caixa Econômica Federal and Itaú Unibanco among others. A major campaign in 2021 affected over 10,000 users, leading to at least $2 million in attempted fraud before law enforcement actions—including a joint operation by the Brazilian Federal Police in early 2022 that resulted in the arrest of three suspected affiliates—disrupted the operation. No specific CVEs are associated with Caminho; it relies on social engineering rather than exploiting software vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA256 values for Caminho samples: e.g., 6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 from the Kaspersky report. Behavioral indicators include creation of mutex names like "CaminhoMutex" and modification of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCaminhoUpdater. Network indicators include C2 domains such as "caminho-update[.]com" and HTTP POST requests with User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36".

☠️ Risk & Impact

The trojan primarily causes financial theft through unauthorized account access and fund transfers, with Brazilian banks reporting cumulative losses exceeding $5 million across multiple campaigns. Affected sectors are exclusively financial—individuals and small-to-medium enterprises using online banking in Brazil. Data exfiltration includes credentials, session cookies, and personal identification numbers (CPF), which are sold on dark web markets for further fraud.

🛡️ Mitigation

Defensive measures include deploying email filtering to block phishing attachments, enabling multi-factor authentication (MFA) resistant to SIM-swap attacks, and running endpoint detection rules that alert on the creation of the "CaminhoMutex" mutex or outbound connections to known C2 domains. Security tools like Kaspersky Endpoint Security and Malwarebytes have detection signatures for Caminho. Regularly updating software and avoiding unsolicited downloads remain critical. Source: Kaspersky SecureList (2019-2022), MITRE ATT&CK under T1056 (Input Capture) and T1113 (Screen Capture).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.