Free real estate: GoPix, the banking Trojan living off your memory

Kaspersky researchers have identified GoPix, a sophisticated Brazilian banking Trojan targeting financial institution customers and cryptocurrency users. This malware employs memory-only implants and living-off-the-land binaries to evade detection and digital forensics. Infection occurs via malvertising campaigns on Google Ads, leveraging obfuscated PowerShell scripts and stolen code signing certificates. GoPix conducts man-in-the-middle attacks to monitor Pix transactions and manipulate cryptocurrency transfers. The threat actors utilize anti-fraud services to filter sandbox environments, ensuring only high-value victims are compromised. While distinct from families like Grandoreiro, GoPix represents a significant evolution in Brazilian cybercrime sophistication. Organizations should enhance endpoint detection to monitor memory-resident threats and verify software installation sources. Financial institutions must strengthen transaction monitoring against manipulation tactics. The campaign remains active, highlighting the need for robust security postures against advanced persistent threats utilizing legitimate infrastructure for malicious delivery. Users should avoid unofficial software downloads.

Kaspersky GReAT experts describe the unprecedentedly complex Brazilian banking Trojan GoPix that employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks, and malvertising via Google Ads.

Kaspersky researchers have identified GoPix, a sophisticated Brazilian banking Trojan targeting financial institution customers and cryptocurrency users. This malware employs memory-only implants and living-off-the-land binaries to evade detection and digital forensics. Infection occurs via malvertising campaigns on Google Ads, leveraging obfuscated PowerShell scripts and stolen code signing certificates. GoPix conducts man-in-the-middle attacks to monitor Pix transactions and manipulate cryptocurrency transfers. The threat actors utilize anti-fraud services to filter sandbox environments, ensuring only high-value victims are compromised. While distinct from families like Grandoreiro, GoPix represents a significant evolution in Brazilian cybercrime sophistication. Organizations should enhance endpoint detection to monitor memory-resident threats and verify software installation sources. Financial institutions must strengthen transaction monitoring against manipulation tactics. The campaign remains active, highlighting the need for robust security postures against advanced persistent threats utilizing legitimate infrastructure for malicious delivery. Users should avoid unofficial software downloads. Kaspersky GReAT experts describe the unprecedentedly complex Brazilian banking Trojan GoPix that employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks, and malvertising via Google Ads. Introduction GoPix is an advanced persistent threat targeting Brazilian financial institutions’ customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automated Transfer System (ATS) threats that were used in other malware campaigns into a unique threat never seen before. Operating as a LOLBin (Living-off-the-Land Binary), GoPix exemplifies a sophisticated approach that integrates malvertising vectors via platforms such as Google Ads to compromise prominent financial institutions’ customers. Our extensive analysis reveals GoPix’s capabilities to execute man-in-the-middle attacks, monitor Pix transactions , Boleto slips , and manipulate cryptocurrency transactions. The malware strategically bypasses security measures implemented by financial institutions while maintaining persistence and employing robust cleanup mechanisms to challenge Digital Forensics and Incident Response (DFIR) efforts. GoPix has reached a level of sophistication never before seen in malware originating in Brazil. It’s been over three years since we first identified it, and it remains highly active. The threat is recognized for its stealthy methods of infecting victims and evading detection by security software, using new tricks to stay operable. The threat differs in its behavior from the RATs already seen in other Brazilian families, such as Grandoreiro . GoPix uses C2s with a very short lifespan, which stay online only for a few hours. In addition, the attackers behind this threat abuse legitimate anti-fraud and reputation services to perform targeted delivery of its payload and ensure that they have not infected a sandbox or system used in analysis. They handpick their victims, financial bodies of state governments and large corporations. The campaign leverages a malvertisement technique which has been active since December 2022. The strategic use of multiple obfuscation layers and a stolen code signing certificate showcases GoPix’s ability to evade traditional security defenses and steal and manipulate sensitive financial data. The Brazilian group behind GoPix is clearly learning from APT groups to make malware persistent and hide it, loading its modules into memory, keeping few artifacts on disk, and making hunting with YARA rules ineffective for capturing them. The malware can also switch between processes for specific functionalities, potentially disabling security software, as well as executing a man-in-the-middle attack with a previously unseen technique. Initial infection Initial infection is achieved through malvertising campaigns. The threat actors in most cases use Google Ads to spread baits related to popular services like WhatsApp, Google Chrome, and the Brazilian postal service Correios and lure victims to malicious landing pages. We have been monitoring this threat since 2023, and it continues to be very active for the time being. GoPix malware campaign detections ( download ) The initial infection vector is shown below: Initial infection vector When the user ends up on the GoPix landing page, the malware abuses legitimate IP scoring systems to determine whether the user is a target of interest or a bot running in malware analysis environments. The initial scoring is done through a legitimate anti-fraud service, with a number of browser and environment parameters sent to this service, which returns a request ID. The malicious website uses this ID to check whether the user...