Kaspersky Reveals: GoPIX Targets Brazil’s Rising PIX System

GoPIX malware

The burgeoning popularity of Brazil’s instant payment system, PIX, has caught the attention of cybercriminals, who have begun deploying malicious software called ‘GoPIX’ to illicitly garner profits.

Kaspersky Lab, monitoring this malicious campaign since December 2022, has reported that the attacks are orchestrated via malicious advertisements shown to users searching for ‘WhatsApp Web’ in search engines. Clicking on such an advertisement redirects the user to a malicious software page.

As observed in various other advertising campaigns, users clicking on the phishing advertisement are rerouted through a cloaking service designed to filter out ‘sandbox’ environments, bots, and other entities, targeting only genuine potential victims.

Interestingly, the malware can be downloaded from two distinct URLs, contingent on whether port 27275 is open on the user’s computer.

This port is used by the Avast safe banking software. If this software is detected, a ZIP file is downloaded that contains an LNK file embedding an obfuscated PowerShell script that downloads the next stage.

If the port is closed, an NSIS setup package is downloaded. This suggests an explicit additional safeguard is configured to circumvent security software and facilitate malicious software delivery.

The primary objective of the installer is to extract and activate the malicious GoPIX program, employing a technique termed ‘Process Hollowing’. The hackers initiate the system process ‘svchost.exe’ in a suspended state and inject malicious code into it.

GoPIX operates as malware pilfering data from the clipboard. It intercepts PIX payment requests and substitutes them with data controlled by the malefactors.

GoPIX is a typical clipboard stealer malware that steals PIX “transactions” used to identify payment requests and replaces them with a malicious (attacker controlled) one which is retrieved from the C2. The malware also supports substituting Bitcoin and Ethereum wallet addresses,” researchers have reported. “However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.

It’s noteworthy to mention that the campaign examined by Kaspersky Lab isn’t singular in targeting users searching for web versions of messaging apps like WhatsApp or Telegram.

For instance, in a recent campaign detected by Malwarebytes specialists in Hong Kong, malefactors attempted to coax users into scanning QR codes to access the web version of WhatsApp on specially crafted phishing pages, resulting in hackers gaining full access to chat histories and saved contacts of the victims.

Such accounts underscore the adaptability of cybercriminals, seizing new opportunities to deceive individuals. No matter how beneficial a technology may seem, it can be easily manipulated for nefarious purposes, exploiting human carelessness.

Always be cognizant of online perils and exercise heightened vigilance to avoid falling prey to cybercriminal schemes.