New banking trojan “CarnavalHeist” targets Brazil with overlay attacks
Essential information
- Published
- 31/05/2024 14:27
- Modified
- 31/05/2024 15:03
- Tags
- 2024-05-31 access_pc_client.dll banking brazil carnavalheist keylogging overlay trojan
- Related entities
- 61 observables, 1 intrusion sets (apt), 2 malware, 2 others
Description
Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. However, it uniquely uses a Python-based loader for DLL injection and specifically targets Brazilian banking applications. Talos attributes the development and operation of CarnavalHeist to Brazilian actors identified through operational mistakes during domain registration. The campaign has been active since at least February 2024, and the trojan is still under active development.