Amavaldo banking Trojan is a hacking tool that has been pretty much used to target users based in Brazil exclusively. However, since June 2019 it would appear that its operators have decided to expand their reach and begin launching campaigns in Chile and Mexico as well.
The authors of Amavaldo Trojan stick to the tried and tested propagation method of spam email campaigns. The emails would contain an attachment, and the message would urge the user to open it because it is 'important.' In some of the campaigns, the creators of the Amavaldo disguised the attachment as a seemingly legitimate Microsoft Office Document, while in others there will be a '.MSI' file attached that poses as an update for an Adobe tool. The final malicious payload of Amavaldo arrives as a ZIP archive that contains three components - a copy of a legit application, an injector, and the encrypted Trojan itself. The injector self-injects Windows Media Player or Internet Explorer processes through DLL sideloading.
A malicious MSI installer with an embedded file containing a VBS downloader was used in the campaign that targeted Brazil. The VBS downloader produced a second VBS downloader, which abused the Windows Management Instrumentation Command-line (WMIC) to push an XSL containing PowerShell, which in turn, downloaded Amavaldo as a final step. The campaigns targeting Mexican banking websites used a different MSI installer that had an embedded Windows executable file that acted as a downloader. In these cases, users also through they were downloading Acrobat Reader DC, while the malicious attachments to the spam emails were disguised as CV documents.
As a self-preservation technique, the Amavaldo banking Trojan's code is heavily obfuscated. Malware authors often do this so that their creations may bypass the checks anti-malware applications and make it more difficult for cybersecurity researchers to dissect their threat. The Amavaldo Trojan also scans the infected host for any potential presence of banking security tools, which may prevent them from executing their plan.
Once Amavaldo Trojan has ensured that nothing stands in its way, it will get to work. This threat is able to scan the opened windows and tabs of the user looking for certain online banking portals. If Amavaldo detects that the victim is browsing one of the banking portals that the Trojan is meant to target, it will take a screenshot of the active Web browser tab. The screenshot is then set as a wallpaper, and the Web browser is minimized. In the meantime, the Amavaldo malware will disable commonly used keyboard shortcuts and display a bogus pop-up window that contains a tailored login prompt that uses the styling and interface of the banking portal that the user was trying to access.
Apart from this, Amavaldo banking Trojan also can:
- Use the webcam
- Download and execute files
- Launch a keylogger
- Control the cursor
- Modify the keyboard's input
- Take screenshots
- Restrict access to legitimate banking websites
Unless you are tech-savvy or have had dealings with banking Trojans before, it is likely that you may not notice the trickery of the Amavaldo Trojan. Therefore, it is crucial to have a reputable anti-virus software suite installed on your system, which will likely sniff out threats like the Amavaldo banking Trojan and remove them swiftly.