GoPIX Malware

GoPIX is threatening software specifically engineered to compromise the Pix instant payment platform. In essence, this malware functions as a clipper, redirecting transactions conducted through the Pix platform. Additionally, it operates as a conventional clipper, extending its scope to include cryptocurrency transactions.

GoPIX has been in circulation since at least December 2022. Given that Pix is a payment platform established and overseen by the Central Bank of Brazil (BCB), its user base predominantly comprises Brazilian citizens. Consequently, GoPIX's activities are primarily confined to the Brazilian landscape.

The GoPIX Malware Infection Chain

GoPIX infections originate from threatening websites that are promoted through deceptive ads, a technique known as malvertising, often employed in search engine poisoning. Currently, the malware is acquired from one of two sources, with the selection depending on whether the victim's device has port 27275 open.

This particular port is typically associated with a legitimate and secure banking product. In instances where this software is absent on the targeted system, an NSIS installer package is retrieved, containing PowerShell scripts and additional components. This initiates the infection chain, ultimately leading to the deployment of GoPIX. However, if the specific software is present, a ZIP archive is downloaded, within which an LNK file holds a PowerShell script that further propels the infection chain.

As mentioned earlier, GoPIX functions as a clipper-type malware. This category of malware monitors the contents copied into the clipboard (the copy-paste buffer) and replaces it with different information, ultimately altering what is pasted.

In the case of GoPIX, it specifically scans for Pix transfers. When it detects a payment request, it intervenes by substituting the data, effectively redirecting the transaction to the cybercriminals. Notably, the information used by the attacker is not hardwired into the malware but is flexible and retrieved from a Command and Control (C&C) server.

Additionally, GoPIX operates as a clipper that targets cryptocurrency wallet addresses, a more common variant. However, in this case, the Bitcoin and Ethereum wallet addresses are predetermined, in contrast to the Pix data, which is dynamically manipulated.

The GoPIX Malware could be Spread through Fraudulent Advertisements

GoPIX has been observed to propagate through malvertising campaigns, specifically involving a form of search engine optimization (SEO) poisoning. This tactic entails manipulating the top search results, typically ads, that appear when a specific query is entered into a search engine. These altered results redirect users to malicious websites.

In these cases, the chosen search query was 'WhatsApp web,' and the advertisements presented as the top results led to or initiated chains of redirection to malicious Web pages. Notably, the websites known for disseminating GoPIX employed legitimate tools to filter their visitors, ensuring only genuine users could access the content while thwarting bots. These deceptive pages were crafted to resemble the official WhatsApp website.

It's essential to acknowledge that GoPIX can also be distributed through alternative methods. Phishing and social engineering techniques are commonly utilized in the proliferation of this malware. Typical distribution avenues encompass stealthy drive-by downloads, the inclusion of malicious attachments or links in spam messages (e.g., emails, private messages, text messages, etc.), online scams, malvertising, suspicious download sources (such as freeware and free file-hosting platforms, peer-to-peer sharing networks, etc.), illegal software cracking tools, and fake software update prompts.