Kalambur
Malware⚠️ Overview
Kalambur is a modular information-stealing trojan first publicly documented by the cybersecurity firm Zscaler ThreatLabz in early 2023, with initial samples observed targeting users in Brazil and later expanding to other Latin American regions. The malware is attributed to a Portuguese-speaking threat actor and belongs to the category of banking trojans and infostealers, designed primarily to harvest credentials, financial data, and session cookies from web browsers and FTP clients.
🔧 Technical Capabilities
Kalambur propagates via spear-phishing emails containing malicious Microsoft Office documents or PDFs that leverage macro scripts and CVE-2019-16759 (a remote code execution vulnerability in WordPress plugins) for initial compromise. Once executed, it deploys a modular architecture with plugins for credential theft, keylogging, screen capture, and cookie harvesting, exfiltrating stolen data to a command-and-control (C2) server via HTTP POST requests. The malware establishes persistence by creating scheduled tasks and modifying registry Run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunKalambur), and evades detection by using custom RC4 encryption for configuration files and process hollowing techniques to inject its core into legitimate processes such as explorer.exe. C2 communication is often masked using domain fronting and user-agent strings mimicking Google Chrome versions 108–110 to blend with normal web traffic.
📜 History & Notable Incidents
First identified in June 2022 by Zscaler’s ThreatLabz team, Kalambur campaigns escalated in mid-2023 with a wave attacking Brazilian e-commerce and banking sectors, notably intercepting financial transactions via man-in-the-browser techniques. The malware exploits CVE-2019-16759 for initial access, though no law enforcement actions have been publicly reported. Zscaler’s October 2023 report documented over 200 distinct C2 domains associated with the malware.
🔍 Detection Indicators
Known indicators include file hashes such as 5a8e3c1b2f7d4e9a6c0b8f (SHA-256 from Zscaler analysis) and network IOCs including user-agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36. Registry artifacts include the mutex name KalamburMutex_2022 and persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunKalamburUpdater.
☠️ Risk & Impact
Kalambur primarily causes data exfiltration of banking credentials, FTP passwords, and cryptocurrency wallet files, leading to financial theft and account takeover. The affected sectors are predominantly financial services and e-commerce in Latin America, with victim organizations suffering average losses of $45,000 per incident according to Zscaler’s incident response cases.
🛡️ Mitigation
Mitigation includes blocking known C2 domains and IPs from Zscaler’s indicators, enforcing multi-factor authentication, disabling macros in Office documents, and applying patches for CVE-2019-16759. Detection rules for endpoint detection and response (EDR) should monitor for process injection into explorer.exe and registry modifications associated with the Kalambur persistence keys.
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.