A new trojan called Maxtrilha aims to steal financial information from a total of 39 banks in Europe and Latin America. Among the companies in the list of virus targets, there are at least three Brazilians: Caixa Econômica Federal, Bradesco and BBVA.

Active since the beginning of September, the malware has about 500 identified attacks in Europe and Latin America. As a classic trojan, it is hidden in the victim's machine and, from the moment the user enters internet banking through the computer, it tries to steal banking access data.


“The objective is to steal access credentials, as in most trojans in Latin America”, explains Pedro Tavares, a researcher at the University of Beira Interior, in Covilhã, Portugal, and responsible for identifying the Maxtrilha, to the Olhar Digital.

“In fact, it seems to be the modus operandi used in other trojans and there could probably be code exchange or commercialization between groups. The Javali and Ursa trojans are proof of this: they infect victims in different ways, with the aim of bypassing antivirus detection, but the process of collecting data and launching banking popups is very similar to that of Maxtrilha”, he adds.

Read more:

This type of malware uses a server (a remote computer) to triangulate user data and it is through this that cybercriminals traffic the stolen information.

In the case of Maxtrilha, it is a “.com” domain called “webcindario”, which, according to Tavares, has been used by several groups in Brazil in recent years to disseminate phishing campaigns. In addition to Brazil, other countries affected by Maxtrilha include United Kingdom, Mexico, Spain, Portugal, Uruguay and Ireland.

Stringcode of banks affected by Maxtrilha virus
Banks impacted by the Maxtrilha trojan include Caixa, Bradesco and BBVA — coded respectively as “internetbanking”, “acessoempresasbanca” and “bancomer” (Credits: Pedro Tavares/seguranca-informatica.pt)

How it works

According to Tavares, the virus that attacks Brazilian banks spreads in three stages. At first, criminals launch a standard phishing campaign, posing as a specific entity for payment or debt settlement.

They then release the first executable binary, which uses the same template as the database in question to lure victims. In this, Internet Explorer security settings are disabled and extensions are supported to facilitate the download of the next stage.

Maxtrilha shutdown window
Possible "kill switch" (shutdown window) of Maxtrilha (Credit: Pedro Tavares/seguranca-informatica.pt)

In this second stage, the virus itself comes into play. Maxtrilha, says Tavares, creates persistence on the victim's machine and runs every time the computer is started. Among the malicious functions it performs are email scanning and monitoring user activity.

“When the trojan detects that the user opens the browser on one of the homebanking services listed in the image, it communicates with a server [in Russia] and criminals start controlling the machine, filtering information, creating fake popup windows to get credentials and even install additional malware”, analyzes Tavares, who also captains the blog “Computer Security”.

Maxtrilha trojan operating cycle
Maxtrilha operating cycle (Credit: Pedro Tavares/seguranca-informatica.pt)

In the first nine months of 2020 alone, more than 20,5 million attacks were registered by viruses such as Grandoreiro, Guildma and Boar - the same mentioned by Tavares. Brazil is also the fifth country with the most records of hacker attacks against companies, according to a recent survey by the German consultancy Ronald Berger.

Main Image Credit: Who is Danny/Shutterstock

Have you watched our new videos on UAF YouTube? Subscribe to our channel!