Operations originating in Brazil continue to target banking credentials across Spanish-speaking regions using highly self-propagating and evasive delivery mechanisms.
While other regions are often associated with large-scale cryptocurrency incidents or specialized surveillance software, Brazil has developed a prominent ecosystem for banking malware. Threat actors in the region consistently develop financial trojans at a rapid pace, challenging security analysts to track their evolving methodologies.
The cybercrime operation tracked as Water Saci, or Augmented Marauder, has been central to this activity for several years. Recently, the group has divided its resources between two financially motivated campaigns. One campaign operates over WhatsApp, focuses primarily on Brazil, and has been monitored by researchers since last year.
Security firm BlueVoyant has now identified a parallel campaign operating via email, extending its reach through Latin America and Spain. This latest iteration of Water Saci's methodology features self-propagating capabilities, techniques to bypass email security controls, and mechanisms for financial data theft.
"This threat group seems as if they have a campaign that they try to launch [roughly] every quarter, and they keep changing it, so it's pretty clear whoever this is [is] very active [and] their end goal is to get access to users' bank accounts within the Latin American region," notes Thomas Elkins, SOC security analyst for BlueVoyant. "To me, it's clear that they're going to keep ramping up."
A self-propagating banking campaign
At first glance, an Augmented Marauder campaign follows familiar social engineering patterns. Recipients receive a standardized email notification referencing a vague, pending judicial summons. Users who interact with the provided link are directed to a landing page that downloads a malicious ZIP file. However, each step in this sequence includes specific mechanisms designed to evade detection or help propagation to new environments.
The file attached to the phishing email is password-protected, which adds a layer of superficial legitimacy and can obscure the contents from secure email gateways (SEGs). Additionally, the ZIP file name is randomized for each recipient, creating an obstacle for signature-based detection tools.
The most notable characteristic is the method used to distribute the judicial summons email. A script deployed later in the execution sequence, a tool identified as Horabot—is engineered to interact with the affected user's email account for self-propagation. It retrieves and filters the user's contacts, then distributes a new wave of phishing emails to these potential targets, attaching a modified version of the judicial summons file secured with a newly generated password.
This self-propagating element presents distinct challenges for defenders. Because new targets receive social engineering emails from recognized contacts, they may be more likely to open the attachments. This trusted sender relationship also reduces the likelihood of the emails being quarantined by standard email security solutions.
"And it's pretty smart because it makes it harder to identify where the attack actually originated from," Elkins points out. Between the self-propagating emails and the automated WhatsApp messages in their concurrent Brazilian campaign, "they're finding new ways to automate their attack chains to not just rely on an attacker-based account." This approach complicates the task of identifying infrastructure controlled by the threat actors.
The limitations of banking trojans
The ultimate objective of this activity is the deployment of Casbaneiro, a traditional banking trojan that activates when affected users access online cryptocurrency or financial service providers. Its target list is extensive, encompassing major institutions in Central and South America, such as Santander and Banco do Brasil—as well as payment and cryptocurrency platforms like Binance. Following established patterns, the malware uses screen overlays to simulate legitimate login portals, capturing keystrokes and credential data.
For Elkins, the continued reliance on Brazilian banking trojans is notable. "It's interesting that they're still hung up on banking Trojans, because a lot of time these newer threat actors are focusing on: How do we gain access to this customer's network? How do we start infiltrating exfiltrating data? How can we use ransomware to get paid?" he observes.
While banking trojans represent a direct method for financial theft, modern endpoint protections are increasingly effective at mitigating them. "I don't think most of the banking Trojans succeed at this point, in today's environment, because they're so easy to attack now," Elkins says.
Organizations with standard, up-to-date cybersecurity controls are well-positioned to defend against these campaigns. "They're getting caught more easily. I mean, Windows Defender itself has so many different rule sets for catching AutoIT executables [like those used by Water Saci] and stopping that behavior," he notes. "That's why, a lot of the time in my research, we don't see it get all the way to the end in the customer's environment. It's usually stopped at the email stage."
About the author
Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries". the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.