XPCTRA Malware

The XPCTRA Malware is a new banking malware strain deployed against Brazillian users predominantly. The core aspects expected from a threat of this type are present here as well. XPCTRA can collect user credentials from multiple financial institutions, including two major Brazilian banks. The threatening capabilities of the threat go far beyond that point, however, as it also can harvest credentials for online digital crypto-wallets from services including Blockchain.info, PerfectMoney and Neteller. Furthermore, it establishes a backdoor channel by dropping a RAT (Remote Access Trojan).

For its initial attack vector, XPCTRA relies on phishing emails pretending to be carrying important banking bills for the user. This is all fake, of course, and when the supposed PDF invoice is executed, a threatening dropper is downloaded to the user's computer system instead. The dropper acts as a first-stage payload tasked with delivering a .zip archive containing the main XPCTRA payload.

Once inside the targeted system, the banking malware proceeds to create a persistence mechanism for itself as well as establishing an HTTP proxy tool called Fiddler. This tool allows XPCTRA to monitor and intercept user's access to the targeted financial institutions. All stolen credentials are exfiltrated to the hackers' Command-and-Control server through an unencrypted communication channel. User's email services such as Microsoft Live, Terra, IG, and Hotmail are also compromised, and the obtained contact lists are used to spread the threat further.

XPCTRA doesn't limit itself solely to credentials theft. It expands its threatening capabilities by delivering a RAT (Remote Access Trojan) infrastructure known as Quasar RAT to the compromised victim. Through this channel, the hackers can download additional payload modules, establish keyloggers, exfiltrate selected files, etc.