Cybersecurity researchers at Trustwave’s SpiderLabs have issued a warning about a new banking trojan targeting bank customers in Brazil. Dubbed Eternidade Stealer (Portuguese for Eternity), this malware uses the popular messaging app WhatsApp to trick people and steal their private financial information.
The Attack Starts with a Simple Message
The criminals employ social engineering, starting with a personalised WhatsApp message in Portuguese, featuring greetings that adjust to the time of day (like ‘good morning’). This tactic immediately makes the message seem legitimate. Once the victim clicks the attached malicious file, a complex attack chain begins.
The threat quickly takes over the user’s WhatsApp account. The program’s first action is to rapidly steal the victim’s entire contact list, which is immediately sent to the criminal’s control server. It then automatically sends itself to all the victim’s contacts using a spreading program written in Python script. This shift to Python is an important change from earlier attacks, which typically used different software.
A Highly Targeted Operation
According to Trustwave’s blog post, the Eternidade Stealer is built using Delphi, a programming language favoured by cybercriminals in Brazil for its efficiency and regional familiarity. The malware is highly localised; it only targets users with the Brazilian Portuguese operating system language.
Before launching its main attack, the stealer profiles the victim’s computer, checking for security software like Windows Defender or Kaspersky to help it avoid detection. The program is also cleverly designed to get its instructions by logging into a specific email account using the IMAP protocol to fetch the current location of its control server.
Researchers were able to confirm this behaviour when they accessed the threat actor’s email account, finding the criminal was using simple, easily-compromised credentials.
Stealing From Banks and Wallets
Once active, the malware is programmed to watch for a long list of financial targets. It actively scans for applications linked to major Brazilian banks (like Itaú, Bradesco, and Caixa Econômica Federal), popular payment services (such as MercadoPago), and even cryptocurrency wallets and exchanges, including MetaMask, Trust Wallet, and Binance.
When a victim opens one of these targeted applications, the stealer deploys a fake screen, known as an overlay, that looks exactly like the login page. The victim unknowingly enters their sensitive information into this fake form, sending their credentials directly to the criminals.
To stay safe, be cautious of any unexpected messages or attachments, even if they appear to be from a known contact. If you receive a suspicious file, never open it; instead, call or text the supposed sender on a different platform to confirm they actually sent it.