Javali

Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro, Javali is an example of a Brazilian banking operation expanding its attacks abroad. It distributes its initial payload via phishing emails, either as an attachment or a link to a website, and uses allowlisted and signed binaries, Microsoft Installer files, and DLL hijacking to infect victims en masse, all while specifically targeting by country. On February 26, 2024, cybersecurity researchers warned about a spike in email phishing campaigns weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) across Latin America and Europe. Notably, the Grandoreiro malware family, which includes strains like Javali, Casabeniero, Mekotio, and Grandoreiro itself, has been active for years. These malware families share a lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations. The widespread success of these malware attacks can be attributed to a lack of user awareness around phishing and malware threats, resulting in a higher number of victims who unknowingly click and are affected. As the general population becomes more upwardly mobile, there's an increase in opportunities to victimize a larger pool of people. Javali, along with other malware variants, has been successful in evading detection by using modular installers and adopting third-party libraries like IndyProject for communication with the C2. After deobfuscation, Javali was found to be specifically looking for Mexican bank customers.