Javali

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro, Javali is an example of a Brazilian banking operation expanding its attacks abroad. It distributes its initial payload via phishing emails, either as an attachment or a link to a website, and uses allowlisted and signed binaries, Microsoft Installer files, and DLL hijacking to infect victims en masse, all while specifically targeting by country. On February 26, 2024, cybersecurity researchers warned about a spike in email phishing campaigns weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) across Latin America and Europe. Notably, the Grandoreiro malware family, which includes strains like Javali, Casabeniero, Mekotio, and Grandoreiro itself, has been active for years. These malware families share a lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations. The widespread success of these malware attacks can be attributed to a lack of user awareness around phishing and malware threats, resulting in a higher number of victims who unknowingly click and are affected. As the general population becomes more upwardly mobile, there's an increase in opportunities to victimize a larger pool of people. Javali, along with other malware variants, has been successful in evading detection by using modular installers and adopting third-party libraries like IndyProject for communication with the C2. After deobfuscation, Javali was found to be specifically looking for Mexican bank customers.
What's your take? (Question 1 of 4)
aeccd851-4f16-45c7-bb27-51bfc6f45a3f Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Grandoreiro
4
Grandoreiro is a malicious software (malware) that has been in operation since at least 2017, initially targeting Spanish-speaking countries. It is part of a group of Brazilian banking malware operations, which includes Guildma, Javali, and Melcoz, that have expanded their attacks globally, focusing
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Banking
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Javali Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
The Tetrade: Brazilian banking malware goes global
CERT-EU
a year ago
Over 90K credentials stolen by Mispadu trojan in LatAm attacks
CERT-EU
3 months ago
Banking Trojans Target Latin America and Europe Through Google Cloud Run
DARKReading
7 months ago
Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers
InfoSecurity-magazine
7 months ago
New Grandoreiro Malware Variant Targets Spain
CERT-EU
7 months ago
From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware  | Proofpoint US